From: Matthias Urlichs <matthias@urlichs.de>
To: wireguard@lists.zx2c4.com
Subject: Re: DNS name resolution should not be done during configuration parsing.
Date: Thu, 21 Feb 2019 08:59:36 +0100 [thread overview]
Message-ID: <ed8879bd-4a2e-662a-b908-6b31354e64c2@urlichs.de> (raw)
In-Reply-To: <ce051517-9325-824c-3299-ba08138e7912@ironai.com>
[-- Attachment #1.1: Type: text/plain, Size: 1303 bytes --]
On 19.02.19 16:45, Vincent Wiemann wrote:
> A kernel VPN module should not depend
> on a user space daemon for doing regular checks or a daemon running at
> all.
It doesn't. You only need userspace when the external IP address changes
*and* the other side either doesn't initiate a link to us, or can no
longer reach us due to firewall or NAT issues. This is already orders of
magnitude better than OpenVPN.
DNS is a complex protocol that's nontrivial to implement securely,
DNSSEC even more so. You do not want that in the kernel. I'd wager a
large chunk of money that neither does Linus Torvalds.
> One could build up on
> https://www.kernel.org/doc/Documentation/networking/dns_resolver.txt ,
> but it's a lot of work and shouldn't be a goal before WireGuard becomes
> an upstream kernel module.
I'm pretty sure that's the way to go long-term.
Umm … you might want to read that. It specifies upcalling to userspace.
How is that better than running a WG daemon?
We'd also lose flexibility. I might want to teach that WG daemon to get
the new address from somewhere else, like a secure connection to a VPN
server (given that DNS timeouts might be too long), or to use that
netlink callback to trigger an alert or to activate a fallback connection.
--
-- Matthias Urlichs
[-- Attachment #1.2: Type: text/html, Size: 2131 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-02-21 7:59 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-14 22:28 Eryk Wieliczko
2019-02-17 3:03 ` David Kerr
2019-02-17 4:08 ` Jeffrey Walton
2019-02-17 12:40 ` Eryk Wieliczko
2019-02-17 13:07 ` Jeffrey Walton
2019-02-17 13:15 ` Eryk Wieliczko
2019-02-19 3:01 ` zrm
2019-02-19 7:22 ` Matthias Urlichs
2019-02-19 14:26 ` Lonnie Abelbeck
2019-02-19 15:45 ` Vincent Wiemann
2019-02-21 7:59 ` Matthias Urlichs [this message]
2019-02-22 1:29 ` Vincent Wiemann
2019-02-19 14:58 ` David Kerr
2019-02-17 12:47 ` Eryk Wieliczko
2019-02-17 18:26 ` Vincent Wiemann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ed8879bd-4a2e-662a-b908-6b31354e64c2@urlichs.de \
--to=matthias@urlichs.de \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).