Thanks
I really want to ask you if i am allowed i want a small change to be implemented in f37
If it is possible to provide a encrypted dns in fedora by default.for out of the box security.
Everyone is allowed to request features, but the question really is who is going to do the necessary work. With Change proposals, the owners set out a plan of how theyâre going to implement the change, for example.
So, youâre free to propose this, but youâll need to either work on it yourself or at least find/convince people to work on it.
3 Likes
If i could i could have done that.
The process for submitting a Change proposal is in the Program Management documentation. If you have questions, feel free to email me or stop by the office hours that I hold weekly on Wednesdays at 9AM and 4PM Eastern (currently 1300 and 2000 UTC) in #fedora-meeting-1.
As Ankur said, you canât submit a Change proposal as a feature request. If you donât have the ability or interest to implement it yourself, you can post on the devel mailing list to seek collaborators.
1 Like
Yeh, a lot of us are in the same boat. The next best thing, when weâre unable to do things ourselves, is to convince people who can to spend their time working on itâand convincing people that our ideas are good enough so they spend their limited free time on it is usually the hardest bit in a volunteer community 
I understand that but i think it is easy and can be implemented if any one is interested please do it. If possible
Out of the box encrypted dns provide some shot of security
https://www.privacyguides.org/technology/dns
Here is a read
So i think it shoud be there in the os.
1 Like
I think more people will see it on the -devel list.
Additionally, if you know what component needs tweaking, then itâs even better to contact the maintainers of that package/spin/whatever and see what they say. Youcould even start by filing a bug against a package if this is something package specific.
While I applaud the desire to have this as a feature, this is not an âeasyâ thing to implement. At the moment there are no discovery mechanisms which can be used to discover encrypted DNS resolvers (the IETF ADD working group is working on specs for that, but they are a long way from being deployment ready), so that means the user would have to supply the information necessary to make use of encrypted resolvers.
Next, there are at least three types of âencrypted DNSâ out there in the wild: DNS-over-HTTPS (DoH), DNS-over-TLS (DoT) and DNS-over-QUIC (DoQ). Work would need to be done to determine which packages in Fedora can even make use of these protocols, and then the results of that analysis would allow the implementers to decide which ones can be made available to the users of the Fedora systems.
Finally, unlike âregularâ DNS, encrypted DNS involves a trust relationship: the user of an encrypted DNS resolver must be able to validate that the resolver is the one they intended to use, and not a compromised or intermediate one. This requires the user to provide a name for the resolver (not just an IP address), so that the certificate provided by the resolver can be validated using the normal TLS validation processes.
All of these aspects of the problem, and likely many more, would be uncovered in the process of writing and discussing a Change proposal.
2 Likes
Yes sure i do that my self with systemd resolved.conf if you open that you could see there are 3 option to choose from we just need to unhash it by default and
Dnsovertls=true
That is all feature is already there just need tweek.
Sure there are other way to implement but i find it easy.
If anything wrong here apology for that.
Itâs often the case that there are complicates beyond turning on a setting. Actually, I think, usually the case. We have lots of real users out in the world, and some of these things arenât widely tested. Weâve done several DNS security-related improvements over the past decade and a lot of them have been kind of rough in actually landing.
That said, in this case⌠we actually do have a related change targetted at Fedora Linux 37:
1 Like
That is good but in most case it is not default but it is a nice change i would request it to be default i have seen this change in 35 36 also.
But i could not understand if it already implemented or not. Can you give me a better view what is this and will it be implemented in f37.
1 Like
While discussing this in another venue some additional concerns were raised about having Encrypted DNS enabled by default. One is that the systemâs clock has to be reasonably close to correct, which can cause a chicken-and-egg issue if getting the clock correct requires using DNS to reach out to NTP servers
Setting âDNSoverTLS=yesâ in /etc/systemd/resolved.conf is not sufficient to actually ensure that encrypted DNS is used.
1 Like
True it need to be implemented correctly.
And i dont know about the issue in ntp server setting time could be a issue in edns.
I think i have to read about when i get some free time.