DNS name resolution should not be done during configuration parsing.

Matthias Urlichs matthias at urlichs.de
Thu Feb 21 08:59:36 CET 2019


On 19.02.19 16:45, Vincent Wiemann wrote:
> A kernel VPN module should not depend
> on a user space daemon for doing regular checks or a daemon running at
> all.

It doesn't. You only need userspace when the external IP address changes
*and* the other side either doesn't initiate a link to us, or can no
longer reach us due to firewall or NAT issues. This is already orders of
magnitude better than OpenVPN.

DNS is a complex protocol that's nontrivial to implement securely,
DNSSEC even more so. You do not want that in the kernel. I'd wager a
large chunk of money that neither does Linus Torvalds.

>     One could build up on
>     https://www.kernel.org/doc/Documentation/networking/dns_resolver.txt ,
>     but it's a lot of work and shouldn't be a goal before WireGuard becomes
>     an upstream kernel module.

    I'm pretty sure that's the way to go long-term.

Umm … you might want to read that. It specifies upcalling to userspace.
How is that better than running a WG daemon?

We'd also lose flexibility. I might want to teach that WG daemon to get
the new address from somewhere else, like a secure connection to a VPN
server (given that DNS timeouts might be too long), or to use that
netlink callback to trigger an alert or to activate a fallback connection.

-- 
-- Matthias Urlichs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190221/808d3ee2/attachment.html>


More information about the WireGuard mailing list