Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Google DNS Fallback used in Systemd?

User discussion about Debian Development, Debian Project News and Announcements. Not for support questions.
Post Reply
Message
Author
Kristijonas
Posts: 4
Joined: 2018-03-21 15:09

Google DNS Fallback used in Systemd?

#1 Post by Kristijonas »

Hello, I found an old discussion of a bug report for Debian: https://bugs.debian.org/cgi-bin/bugrepo ... bug=761658

and I have two questions about it:

1. It had to do with Google DNS used as a fallback when no DNS is configured or a configured DNS is unable to be reached. Apparently this fallback is somewhere in systemd level.

Could someone please check and confirm if this has changed since that discussion? Is Google DNS still being used as a fallback in systemd settings somewhere?

2. Are there any similar controversial points about Debian ?

Thank you all for your time! Please move threat to appropriate subforum if I failed to place it correctly myself, thanks!

kopper
Posts: 137
Joined: 2016-09-30 14:30

Re: Google DNS Fallback used in Systemd?

#2 Post by kopper »

Found this: https://isc.sans.edu/forums/diary/Syste ... DNS/22516/

I think the most important points of the article are these:
systemd has a built-in fallback mechanism that specifies, at compilation time, that if no resolvers are configured, it uses the Google DNS by default!
Based on the tested distributions, there is almost no risk to see systemd falling back to the Google DNS.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian

Kristijonas
Posts: 4
Joined: 2018-03-21 15:09

Re: Google DNS Fallback used in Systemd?

#3 Post by Kristijonas »

Thank you kopper. So basically this applies to every distro using systemd ? Afriend using Lubuntu told me he failed to find the Google DNS used as a fallback there?

I don't suppose this affects non-systemd distros?

If not a major security/privacy by itself, this is a serious philosophical statement from Debian to use a corporate DNS fallback, especially one from a company known to use and abuse information gathered from its users. I completely understand all the users who don't care about this and I'm sure they'll have a 100% satisfactory experience using Debian, but to those who care about this, this can be a major turn-down.

Secondly, I'm sure there are quite a lot of users who never knew about this. This begs the question - how many other things like this exists in Debian? I'm sure there are many end users who would be very concerned. What else is hidden there that could be considered as bad as this? I mean, if this was allowed, then other, similarly undesirable (by the freedom/privacy advocates at least) could also find their way into Debian?

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Google DNS Fallback used in Systemd?

#4 Post by bw123 »

Kristijonas wrote:<snip>This begs the question - how many other things like this exists in Debian? I'm sure there are many end users who would be very concerned. What else is hidden there that could be considered as bad as this? I mean, if this was allowed, then other, similarly undesirable (by the freedom/privacy advocates at least) could also find their way into Debian?
It's part of systemd-resolved.service which is disabled in the default debian systemd implementation. I don't know why or what questions it begs? Kind of makes me beg the question, "Have you done any real research on it, or just spreading FUD?"
resigned by AI ChatGPT

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Google DNS Fallback used in Systemd?

#5 Post by GarryRicketson »

by bw123 » "Have you done any real research on it, or just spreading FUD?"
Posted while I was writing, I suspect "just spreading FUD" (Gossip)
Post by Kristijonas »What else is hidden there that could be considered as bad as this?
You can and are welcome to go over all of the source code, and see what is in it, nothing is hidden, it is not like with Microsoft, where you can not review the source code. And of course if you do find anything in the source code you don't want or like, you are free to remove or modify it, to suit your needs.
Kristijonas>> Could someone please check and confirm
Yea, that is another option, just wait and hope that some day someone else well do it for you, for free, and then take the time to give you the results,....problem:What if they are liar or part of the plot ? Then they will tell you what you want to hear : " Oh, don't worry I have reviewed and checked it all out, and I confirm it is safe and secure. "
Would you take my word for it ?
You can browse the internet, and research, that is all good, but after all said and done, most of what you will read is nothing but gossip and "click bait", the only real way to be sure is to check and confirm it your self, or dis-confirm which ever the case may be.

Kristijonas
Posts: 4
Joined: 2018-03-21 15:09

Re: Google DNS Fallback used in Systemd?

#6 Post by Kristijonas »

To answer your question: I am concerned and had an inquiry. I'm not an advanced user so naturally my own capacity to do research is limited by my knowledge of what/where to look for. I've spent hours reading about this and came to a point where I had to ask.

Could you please clarify: Does your answer mean that Google DNS will not be used as a fallback? This issue basically does not touch Debian at all then?
Is this because Debian customized its systemd config and/or removed certain functionality when adapting it?

Thank you for your patience, I did not mean to cause FUD, I'm simply genuinely concerned both for practical and philosophical reasons and wanted to get to the bottom of how things really are.

Excellent answer Garry Ricketson and I do my best to learn (just began recently) but reading all sources is impossible so a degree of trust in the community is almost a must. If a general consensus of several people is that there is no concern and this particular functionality is disabled in Debian then I would be willing be believe it to be true. Especially since that anyone can come here and challenge their consensus at which point I'd have doubts again.

User avatar
bw123
Posts: 4015
Joined: 2011-05-09 06:02
Has thanked: 1 time
Been thanked: 28 times

Re: Google DNS Fallback used in Systemd?

#7 Post by bw123 »

The fallback (#FallbackDNS=8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844)
is present in stretch @ /etc/systemd/resolvd.conf but i THINK it would only be used if systemd-networkd were setup to manage the network, and another dns wasn't supplied. It's available, but not implemented by default.

For instance, I'm using network-manager aright now and if I remove my /etc/resolv.conf I get a broken network.
...I've spent hours reading about this...
For Pete's sake, why?
resigned by AI ChatGPT

User avatar
GarryRicketson
Posts: 5644
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Google DNS Fallback used in Systemd?

#8 Post by GarryRicketson »

Well, I don't really have the time, nor interest to clarify, the link Kopper posted
seems pretty good, it does a better job then I could on that
https://isc.sans.edu/forums/diary/Syste ... DNS/22516/
>>
I particularly like where OpenBSD is going with pledge(), which is even able to restrict ability of daemons to do things like file I/O. Maybe systemd is such a large beast that something like it couldn't be implemented there, and if that's the case I would suggest to simply steer clear of it.
Myself, I do use the google dns, I have no problem with it, and it is not just a systemd thing, I use it on my OpenBsd server, and also on a Minix 3 server,
neither of which is systemd, I also use it on the Debian 7 server, that is pre-systemd, so it is not systemd either.
If Debian , says
It's available, but not implemented by default.
I would take their word for it, obviously it would be rather foolish to try to lie, and say anything other then the truth, because surely someone would/ will check to confirm it.
Beyond the scope of the topic, but just saying, my reasons for not wanting to use a systemd system have nothing at all to do with this, and there is no point in going into a long list of details to clarify on that.
How ever I would like to add, in any case systemd or not, any Unix like OS, BSD, Linux what ever, one should have the ability to be able to go over all of the "default" settings and configurations, to make sure they are set as desired, if they do not know enough to do that, then they should either take the time to study and learn, or find a tech that they trust, and pay them to do it for them.
It is not wise to just take every bodies word for it, and assume the default setting are what you need or want.
Kristijonas >>Excellent answer Garry Ricketson
Thank you, that is nice, it is pretty rare anyone says that to me,... any way, also most of the more experienced Debian users here on this forum,ones that are actually using Debian 9 and systemd , most are pretty reliable , trustworthy,... again if some one claims something, and it is not true, some body will spot it and call them on it pretty quickly, being wrong by mistake , is not the same as delibrately misleading some one.
==== edit ====
from the "bug report link:
https://bugs.debian.org/cgi-bin/bugrepo ... bug=761658
This default is not used as long as a resolver has been configured by
the system administrator or provided by DHCP, and I see no value in
allocating development time to break cases which currently work by
removing support for a default.
Since the Google resolvers are a very reliable widely anycasted service
which third parties are encouraged to use they actually look like a sane
fail-safe default, hence I am closing this bug.
It is simple enough , to make sure the google dns is not used, make sure the
"/etc/resolv.conf" has something else configured.

Code: Select all

/etc/resolv.conf. This setting is 
    hence only used if no other DNS server information is known. 
The rest of the "bug report", looks more like just a troll and arguments so
I did not read all of it.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Google DNS Fallback used in Systemd?

#9 Post by debiman »

i use systemd-resolved, i have noticed this myself before, and read the bug report with mild interest.
afaics (i did not look at the source code myself, but have reason to believe what others wrote about it) google dns is indeed hardcoded into systemd-resolved, and i agree that this is opposed to debian's social contract - even if systemd-resolved is not used by default.

otoh, if you use systemd-resolved, it is easy to fix - just add the line

Code: Select all

FallbackDNS=
to /etc/systemd/resolved.conf, means resolved will not use any fallback dns - or define your own fallback there.

F. Alvarez
Posts: 1
Joined: 2018-03-21 23:03

Re: Google DNS Fallback used in Systemd?

#10 Post by F. Alvarez »

Very good initiative from the OP. There should be no propietary default settings in Debian, our OS that we trust.
These kind of things loses open source attitude. In this particular "privacy age" we really have to consider.

Even windows doesn't have anything like this. If my DNS configuration becomes broken I'm happy with that, no need of "built in" help from google. Nowadays it is very rarely for a DNS server to time out, so I can not see the usefulness of this feature, exept for spionage. Imagine: somebody (google's affilate of course) firewalls your network from your prefered DNS access and then you (without noticing it) use google DNS and automaticaly expose yourself to tracking. I can think only of this sole reason why this feature is still on.

Unless I am given an other explanaition I will consider all this topic haters as a google trolls.

Thank you.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Google DNS Fallback used in Systemd?

#11 Post by debiman »

F. Alvarez wrote:If my DNS configuration becomes broken I'm happy with that, no need of "built in" help from google.
agreed.
Nowadays it is very rarely for a DNS server to time out, so I can not see the usefulness of this feature, exept for spionage. Imagine: somebody (google's affilate of course) firewalls your network from your prefered DNS access and then you (without noticing it) use google DNS and automaticaly expose yourself to tracking. I can think only of this sole reason why this feature is still on.
i wouldn't go that far.
i think the people who put that in acted in good faith - make it failsafe - but it's not really needed imo, and it's not the debian way.

kopper
Posts: 137
Joined: 2016-09-30 14:30

Re: Google DNS Fallback used in Systemd?

#12 Post by kopper »

F. Alvarez wrote:Very good initiative from the OP.
F. Alvarez wrote: Unless I am given an other explanaition I will consider all this topic haters as a google trolls.
Did you create an account to boost this topic's credibility and label any wrong opinions as haters and google trolls? :D

On a more serious note, there is no need to make this bigger issue than it really is. There is fallback mechanism in systemd-resolver. Fallback mechanism is Google DNS. It hardly ever gets used and is easy to disable. It can help non-technical users in some corner-cases to get more usable system with less effort. No one really seems to hide anything, although documentation lacks the mention that compiled-in DNS-server list includes Google. Documentation says:
FallbackDNS=
A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers. Any per-link DNS servers obtained from systemd-networkd.service(8) take precedence over this setting, as do any servers set via DNS= above or /etc/resolv.conf. This setting is hence only used if no other DNS server information is known. If this option is not given, a compiled-in list of DNS servers is used instead.
It's open-source, so you are 1) free to look into the code to verify how things work, 2) suggest changes via appropriate channels and 3) free to use something else if you don't approve with current features or development roadmap.

What is the actual risk here? Most of the users (privacy-focused or not) who have no idea how DNS works are most likely using ISP provided DNS servers. There is a minor risk here, that in some rare cases, systemd-resolv falls back to Google DNS. From user's point of view, it's a question of trust. Is Google worse than your ISP? At least in US, considering current events and net neutrality there seems to be little difference. In the middle-east things are not that great either, although I'd argue that in many countries Google would be even lesser evil. On the other hand users who do know how DNS works and are interested in privacy are either running their own DNS server or at least capable of checking their system DNS settings and configure them according to their liking. As a best practice, you shouldn't do anything sensitive anyway before your system is fully configured.

I don't call out FUD easily, but this really seems blowing things out of proportion. I agree it's not ideal that systemd decides fallback for you, but my personal classification for this change would be "minor" or "non-critical".

EDIT: Minor grammar corrections.
Debian 10.2 Stable with i3
Secure your stuff: Securing Debian Manual
Don't break your stuff: Source List Management DontBreakDebian

Kristijonas
Posts: 4
Joined: 2018-03-21 15:09

Re: Google DNS Fallback used in Systemd?

#13 Post by Kristijonas »

Thank you all for your kind answers!

They've made it clear, however, that using Debian is not a viable choice for me as I am currently looking for a distro that I could know I can trust not to do these things as they matter to me personally from a philosophical perspective.

Thanks again for taking the time to address my inquiry.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Google DNS Fallback used in Systemd?

#14 Post by Head_on_a_Stick »

Kristijonas wrote:using Debian is not a viable choice for me as I am currently looking for a distro that I could know I can trust not to do these things as they matter to me personally from a philosophical perspective
All distributions that use systemd will have that as a fall-back, why is it such a problem for you anyway? Using Google's nameservers makes sense because they are the most reliable.

Debian doesn't even use systemd-networkd by default anyway, nor does it provide any tools to abstract the configuration.
deadbang

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Google DNS Fallback used in Systemd?

#15 Post by debiman »

i think the critics have a point here.
something like this should not be hardcoded into an application.

otoh, web browsers like chromium probably also have something like that hardcoded (connecting to google servers), and they are still considered 100% FOSS...

debian's free software guidelines say "No Discrimination Against Persons or Groups" - and this could be seen as a form of positive discrimantion towards google.

wouldn't it fit inside debian's developers' scope to edit the source code & recompile, to make it comply to debian's quality standards?

Post Reply