From Fedora Project Wiki
Line 32: Line 32:
== Benefit to Fedora ==
== Benefit to Fedora ==


DNS queries are encrypted and private by default, if the user's ISP supports DNS over TLS. Users who manually configure a custom DNS server (e.g. Cloudflare or Google) will automatically benefit from DNS over TLS.
DNS queries are encrypted and private by default, if the user's ISP supports DNS over TLS. Most probably don't, but users who manually configure a custom DNS server (e.g. Cloudflare or Google) will automatically benefit from DNS over TLS.


== Scope ==
== Scope ==

Revision as of 18:16, 28 September 2020

DNS Over TLS

Summary

Fedora will attempt to use DNS over TLS (DoT) if supported by configured DNS servers.

Owner

Current status

  • Targeted release: Fedora 34
  • Last updated: 2020-09-28
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

We will build systemd with -Ddefault-dns-over-tls=opportunistic to protect DNS queries against passive. An active network attacker can trivially subvert this b

Note that DoT is different from DNS over HTTPS (DoH). In particular, DoT is not an anti-censorship tool. It does not look like regular HTTPS traffic, and can be blocked by network administrators if desired.

Feedback

Benefit to Fedora

DNS queries are encrypted and private by default, if the user's ISP supports DNS over TLS. Most probably don't, but users who manually configure a custom DNS server (e.g. Cloudflare or Google) will automatically benefit from DNS over TLS.

Scope

  • Proposal owners: change meson flags in systemd.spec
  • Other developers: N/A (nothing should be required)
  • Release engineering: #9772 (a check of an impact with Release Engineering is needed)
  • Policies and guidelines: N/A (nothing should be required)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: Nope

Upgrade/compatibility impact

DoT will be enabled automatically on upgrade to F34. If DoT is unsupported, systemd-resolved will fall back to unencrypted DNS, so there should be no compatibility impact.

How To Test

TODO

User Experience

Users should not notice any difference in behavior, unless checking how DNS is sent in Wireshark.

Dependencies

No dependencies.

Contingency Plan

  • Contingency mechanism: revert the change
  • Contingency deadline: F34 beta freeze
  • Blocks release? No
  • Blocks product? No

Documentation

See the section DNSOverTLS= in the manpage resolved.conf(5)

Release Notes

TODO