Systemd just gained DNS resolution as a feature. This should be disabled because of potentially negative consequences for anonymity and to reduce attack surface.
https://lists.freedesktop.org/archives/systemd-devel/2016-February/035748.html
Description
Description
Details
Details
- Impact
- Normal
Related Objects
Related Objects
- Mentioned In
- T793: test if systemd FallbackDNS is really disabled
Event Timeline
Comment Actions
This can probably be implemented by adding a systemd override for systemd-resolved.service.
To check:
sudo systemctl status systemd-resolved.service
Comment Actions
Done.
- https://github.com/Whonix/anon-gw-dns-conf/commit/9d6a3671b4850238e35be331a4644a12da37b3e1
- https://github.com/Whonix/anon-ws-dns-conf/commit/8585dd80ea1934050c6b3a78cce5a7eff8116790
I've spent a lot thought on the migration. For new Whonix 14 images, systemd-resolved will never start.
When upgrading Whonix 13 to Whonix 14,
- using https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14 - it will not start (since using apt-get-noninteractive that prevents daemon restarts and after reboot the systemd drop-in to prevent its startup will be in place)
- when not using apt-get-noninteractive, systemd-resolved would start and keep running until the next reboot
- there won't be an auto upgrade from Whonix 13 to Whonix 14 since the user has to manually change from jessie to stretch Debian and Whonix repository, so the risk for this to accidentally happen should be low
- otherwise preventing this would be cumbersome and require a lot more code (inventing a postinst running systemd daemon-reload and whatnot)
Comment Actions
This isn't a ticket for general question systemd yes vs no. If you like to raise this, please move it to the forums or so.
Comment Actions
It was just to remind that this "feature" is just the tip of an iceberg that keeps getting bigger over time. If you see it feasible and preferable to move away from systemd I would expect you to start the ticket/discussion