systemd/docs/RESOLVED-VPNS.md
Zbigniew Jędrzejewski-Szmek 8e3fee33af Revert "docs: use collections to structure the data"
This reverts commit 5e8ff010a1.

This broke all the URLs, we can't have that. (And actually, we probably don't
_want_ to make the change either. It's nicer to have all the pages in one
directory, so one doesn't have to figure out to which collection the page
belongs.)
2024-02-23 09:48:47 +01:00

269 lines
15 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: systemd-resolved and VPNs
category: Networking
layout: default
SPDX-License-Identifier: LGPL-2.1-or-later
---
# `systemd-resolved.service` and VPNs
`systemd-resolved.service` supports routing lookups for specific domains to specific
interfaces. This is useful for hooking up VPN software with systemd-resolved
and making sure the exact right lookups end up on the VPN and on the other
interfaces.
For a verbose explanation of `systemd-resolved.service`'s domain routing logic,
see its [man
page](https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html). This
document is supposed to provide examples to use the concepts for the specific
purpose of managing VPN DNS configuration.
Let's first define two distinct VPN use-cases:
1. *Corporate* VPNs, i.e. VPNs that open access to a specific set of additional
hosts. Only specific domains should be resolved via the VPN's DNS servers,
and everything that is not related to the company's domain names should go
to regular, non-VPN DNS instead.
2. *Privacy* VPNs, i.e. VPNs that should be used for basically all DNS traffic,
once they are up. If this type of VPN is used, any regular, non-VPN DNS
servers should not get any traffic anymore.
Then, let's briefly introduce three DNS routing concepts that software managing
a network interface may configure.
1. Search domains: these are traditional DNS configuration parameters and are
used to suffix non-qualified domain names (i.e. single-label ones), to turn
them into fully qualified domain names. Traditionally (before
`systemd-resolved.service`), search domain names are attached to a system's
IP configuration as a whole, in `systemd-resolved.service` they are
associated to individual interfaces instead, since they are typically
acquired through some network associated concept, such as a DHCP, IPv6RA or
PPP lease. Most importantly though: in `systemd-resolved.service` they are
not just used to suffix single-label domain names, but also for routing
domain name lookups: if a network interface has a search domain `foo.com`
configured on it, then any lookups for names ending in `.foo.com` (or for
`foo.com` itself) are preferably routed to the DNS servers configured on the
same network interface.
2. Routing domains: these are very similar to search domains, but are purely
about DNS domain name lookup routing — they are not used for qualifying
single-label domain names. When it comes to routing, assigning a routing
domain to a network interface is identical to assigning a search domain to
it.
Why the need to have both concepts, i.e. search *and* routing domains?
Mostly because in many cases the qualifying of single-label names is not
desirable (as it has security implications), but needs to be supported for
specific use-cases. Routing domains are a concept `systemd-resolved.service`
introduced, while search domains are traditionally available and are part of
DHCP/IPv6RA/PPP leases and thus universally supported. In many cases routing
domains are probably the more appropriate concept, but not easily available,
since they are not part of DHCP/IPv6RA/PPP.
Routing domains for `systemd-resolved.service` are usually presented along
with search domains in mostly the same way, but prefixed with `~` to
differentiate them. i.e. `~foo.com` is a configured routing domain, while
`foo.com` would be a configured search domain.
One routing domain is particularly interesting: `~.` — the catch-all routing
domain. (The *dot* domain `.` is how DNS denotes the "root" domain, i.e. the
parent domain of all domains, but itself.) When used on an interface any DNS
traffic is preferably routed to its DNS servers. (A search domain i.e. `.`
instead of `~.` — would have the same effect, but given that it's mostly
pointless to suffix an unqualified domain with `.`, we generally declare it
as a routing domain, not a search domain).
Routing domains also have particular relevance when it comes to the reverse
lookup DNS domains `.in-addr.arpa` and `.ip6.arpa`. An interface that has
these (or sub-domains thereof) defined as routing domains, will be preferably
used for doing reverse IP to domain name lookups. e.g. declaring
`~168.192.in-addr.arpa` on an interface means that all lookups to find the
domain names for IPv4 addresses 192.168.x.y are preferably routed to it.
3. The `default-route` boolean. This is a simple boolean value that may be set
on an interface. If true (the default), any DNS lookups for which no
matching routing or search domains are defined are routed to interfaces
marked like this. If false then the DNS servers on this interface are not
considered for routing lookups to except for the ones listed in the
search/routing domain list. An interface that has no search/routing domain
associated and also has this boolean off is not considered for *any*
lookups.
One more thing to mention: in `systemd-resolved.service` if lookups match the
search/routing domains of multiple interfaces at once, then they are sent to
all of them in parallel, and the first positive reply used. If all lookups fail
the last negative reply is used. This means the DNS zones on the relevant
interfaces are "merged": domains existing on one but not the other will "just
work" and vice versa.
And one more note: the domain routing logic implemented is a tiny bit more
complex that what described above: if there two interfaces have search domains
that are suffix of each other, and a name is looked up that matches both, the
interface with the longer match will win and get the lookup routed to is DNS
servers. Only if the match has the same length, then both will be used in
parallel. Example: one interface has `~foo.example.com` as routing domain, and
another one `example.com` has search domain. A lookup for
`waldo.foo.example.com` is the exclusively routed to the first interface's DNS
server, since it matches by three suffix labels instead of just two. The fact
that the matching length is taken into consideration for the routing decision
is particularly relevant if you have one interface with the `~.` routing domain
and another one with `~corp.company.example` — both suffixes match a lookup for
`foo.corp.company.example`, but the latter interface wins, since the match is
for four labels, while the other is for zero labels.
## Putting it Together
Let's discuss how the three DNS routing concepts above are best used for a
reasonably complex scenario consisting of:
1. One VPN interface of the *corporate* kind, maybe called `company0`. It makes
available a bunch of servers, all in the domain `corp.company.example`.
2. One VPN interface of the *privacy* kind, maybe called `privacy0`. When it is
up all DNS traffic shall preferably routed to its DNS servers.
3. One regular WiFi interface, maybe called `wifi0`. It has a regular DNS
server on it.
Here's how to best configure this for `systemd-resolved.service`:
1. `company0` should get a routing domain `~corp.company.example`
configured. (A search domain `corp.company.example` would work too, if
qualifying of single-label names is desired or the VPN lease information
does not provide for the concept of routing domains, but does support search
domains.) This interface should also set `default-route` to false, to ensure
that really only the DNS lookups for the company's servers are routed there
and nothing else. Finally, it might make sense to also configure a routing
domain `~2.0.192.in-addr.arpa` on the interface, ensuring that all IPv4
addresses from the 192.0.2.x range are preferably resolved via the DNS
server on this interface (assuming that that's the IPv4 address range the
company uses internally).
2. `privacy0` should get a routing domain `~.` configured. The setting of
`default-route` for this interface is then irrelevant. This means: once the
interface is up, all DNS traffic is preferably routed there.
3. `wifi0` should not get any special settings, except possibly whatever the
local WiFi router considers suitable as search domain, for example
`fritz.box`. The default `true` setting for `default-route` is good too.
With this configuration if only `wifi0` is up, all DNS traffic goes to its DNS
server, since there are no other interfaces with better matching DNS
configuration. If `privacy0` is then upped, all DNS traffic will exclusively go
to this interface now — with the exception of names below the `fritz.box`
domain, which will continue to go directly to `wifi0`, as the search domain
there says so. Now, if `company0` is also upped, it will receive DNS traffic
for the company's internal domain and internal IP subnet range, but nothing
else. If `privacy0` is then downed again, `wifi0` will get the regular DNS
traffic again, and `company0` will still get the company's internal domain and
IP subnet traffic and nothing else. Everything hence works as intended.
## How to Implement this in Your VPN Software
Most likely you want to expose a boolean in some way that declares whether a
specific VPN is of the *corporate* or the *privacy* kind:
1. If managing a *corporate* VPN, you configure any search domains the user or
the VPN contact point provided. And you set `default-route` to false. If you
have IP subnet information for the VPN, it might make sense to insert
`~….in-addr.arpa` and `~….ip6.arpa` reverse lookup routing domains for it.
2. If managing a *privacy* VPN, you include `~.` in the routing domains, the
value for `default-route` is actually irrelevant, but I'd set it to true. No
need to configure any reverse lookup routing domains for it.
(If you also manage regular WiFi/Ethernet devices, just configure them as
traditional, i.e. with any search domains as acquired, do not set `~.` though,
and do not disable `default-route`.)
## The APIs
Now we determined how we want to configure things, but how do you actually get
the configuration to `systemd-resolved.service`? There are three relevant
interfaces:
1. Ideally, you use D-Bus and talk to [`systemd-resolved.service`'s D-Bus
API](https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html)
directly. Use `SetLinkDomains()` to set the per-interface search and routing
domains on the interfaces you manage, and `SetLinkDefaultRoute()` to manage
the `default-route` boolean, all on the `org.freedesktop.resolve1.Manager`
interface of the `/org/freedesktop/resolve1` object.
2. If that's not in the cards, you may shell out to
[`resolvectl`](https://www.freedesktop.org/software/systemd/man/resolvectl.html),
which is a thin wrapper around the D-Bus interface mentioned above. Use
`resolvectl domain <iface> …` to set the search/routing domains and
`resolvectl default-route <iface> …` to set the `default-route` boolean.
Example use from a shell callout of your VPN software for a *corporate* VPN:
resolvectl domain corporate0 '~corp-company.example' '~2.0.192.in-addr.arpa'
resolvectl default-route corporate0 false
resolvectl dns corporate0 192.0.2.1
Example use from a shell callout of your VPN software for a *privacy* VPN:
resolvectl domain privacy0 '~.'
resolvectl default-route privacy0 true
resolvectl dns privacy0 8.8.8.8
3. If you don't want to use any `systemd-resolved` commands, you may use the
`resolvconf` wrapper we provide. `resolvectl` is actually a multi-call
binary and may be symlinked to `resolvconf`, and when invoked like that
behaves in a way that is largely compatible with FreeBSD's and
Ubuntu's/Debian's
[`resolvconf(8)`](https://manpages.ubuntu.com/manpages/trusty/man8/resolvconf.8.html)
tool. When the `-x` switch is specified, the `~.` routing domain is
automatically appended to the domain list configured, as appropriate for a
*privacy* VPN. Note that the `resolvconf` interface only covers *privacy*
VPNs and regular network interfaces (such as WiFi or Ethernet) well. The
*corporate* kind of VPN is not well covered, since the interface cannot
propagate the `default-route` boolean, nor can be used to configure the
`~….in-addr.arpa` or `~.ip6.arpa` routing domains.
## Ordering
When configuring per-interface DNS configuration settings it is wise to
configure everything *before* actually upping the interface. Once the interface
is up `systemd-resolved.service` might start using it, and hence it's important
to have everything configured properly (this is particularly relevant when
LLMNR or MulticastDNS is enabled, since that works without any explicitly
configured DNS configuration). It is also wise to configure search/routing
domains and the `default-route` boolean *before* configuring the DNS servers,
as the former without the latter has no effect, but the latter without the
former will result in DNS traffic possibly being generated, in a non-desirable
way given that the routing information is not set yet.
## Downgrading Search Domains to Routing Domains
Many VPN implementations provide a way how VPN servers can inform VPN clients
about search domains to use. In some cases it might make sense to install those
as routing domains instead of search domains. Unqualified domain names usually
imply a context of locality: the same unqualified name typically is expected to
resolve to one system in one local network, and to another one in a different
network. Search domains thus generally come with security implications: they
might cause that unqualified domains are resolved in a different (possibly
remote) context, contradicting user expectations. Thus it might be wise to
downgrade *search domains* provided by VPN servers to *routing domains*, so
that local unqualified name resolution remains untouched and strictly maintains
its local focus — in particular in the aforementioned less trusted *corporate*
VPN scenario.
To illustrate this further, here's an example for an attack scenario using
search domains: a user assumes the printer system they daily contact under the
unqualified name "printer" is the network printer in their basement (with the
fully qualified domain name "printer.home"). Sometimes the user joins the
corporate VPN of their employer, which comes with a search domain
"foocorp.example", so that the user's confidential documents (maybe a job
application to a competing company) might end up being printed on
"printer.foocorp.example" instead of "printer.home". If the local VPN software
had downgraded the VPN's search domain to a routing domain "~foocorp.example",
this mismapping would not have happened.
When connecting to untrusted WiFi networks it might be wise to go one step
further even: suppress installation of search/routing domains by the network
entirely, to ensure that the local DNS information is only used for name
resolution of qualified names and only when no better DNS configuration is
available.