Fixing wg-quick's DNS= directive with a hatchet

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Oct 28 00:06:50 CEST 2017 

On Fri 2017-10-27 19:15:08 +0200, Jason A. Donenfeld wrote:
> (Daniel and Egbert seem mostly okay with the butchered resolvconf in
> their distros; at least they don't see any reason to change things,
> since it mostly works, and users there at least have the choice of
> somehow installing openresolv need be.)

fwiw, i'm *not* ok with resolvconf.  I tried to help co-maintain it for
several years and stepped back from it in disappointment.  I don't even
remember the details at this point, but I'm not convinced that it's
particularly architecturally sound.  I haven't looked at openresolv
myself.

I personally think that the hatchet is an unfortunate distraction from
wireguard.  If Jason decides to ship it upstream, i'll include it in the
debian packages as part of his decision.  However, i suspect it will
break some people's DNS resolution in ways that they don't know how to
recover from besides a reboot (maybe it'll come back after a reboot too?
yikes).  I suspect this will raise even worse noise and abuse than
"Rodney"'s silliness.  And this time, they'll be (at least partly)
right, because the experimental networking tool that they installed will
have done bizarre things to their filesystem mount points(!) and
hijacked an important system configuration file out from under whatever
was maintaining it in the first place.

------

So I think wireguard is better off with a light touch here.  If Jason
just wants to maintain the current openresolv hook, then any wg-quick
invocation that tries to set DNS can just warn on non-openresolv
systems.  something liike:

    you asked me to set up the DNS but i only know how to do that with
    openresolv installed.  Please install openresolv and try again!

This isn't as magic as the hatchet, but it means wireguard is not
responsible for breaking the user's name resolution.

And if folks want to integrate it with other /etc/resolv.conf managers,
they can write, test, and propose patches themselves.

-----

As for what the right solution looks like on a modern GNU/Linux system:

A sensible approach (which i think should be the default on machines
running systemd) is to use systemd-resolved as a local resolving cache.
The easiest way to do that permanently is:

    systemctl enable --now systemd-resolved
    ln -sf /lib/systemd/resolv.conf /etc/resolv.conf

If your networking is configured by systemd-networkd, then everything
else JustWorks™


On systems that use network-manager, you should tell nm to just inform
resolved when it learns about new DNS servers:

    cat > /etc/NetworkManager/conf.d/use-resolved.conf <<EOF
    [main]
    dns=systemd-resolved
    EOF
    systemctl restart NetworkManager

On a system configured with systemd-resolved (with or without
network-manager), i'd want wg-quick to just inform systemd-resolved that
it has a new DNS resolver available.  This is probably some ungodly dbus
invocation that i don't know what it is, but would likely not be an
impossibility to figure out.

    https://www.freedesktop.org/wiki/Software/systemd/resolved/

If someone has the fortitude to wade through that, i'd happily ship such
a patch in debian (and encourage Jason to take it upstream alongside his
openresolv hook), but i'm scattered to too many places to do that myself
today.

all the best,

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20171027/e55e6425/attachment-0001.asc>

More information about the WireGuard mailing list