[systemd-devel] How is supposed DNS over TLS with NM supposed to work?

[Petr Menšík]

Hi,

I have noticed recent NM has connection.dnsovertls property. So far only 
systemd-resolved can use such property. But I am lost somehow. DNS over 
TLS requires two things to connect securely. IP address of target and 
also a SNI name of TLS certificate. That is needed to ensure I am not 
connecting to man in the middle, but to service I want. Of course 
trusted CA certificate must provide such certificate.

Now I have traveled on train and realized everyone in the same carriage 
can see all my DNS queries. So I would like to use DNS over TLS on 
airports or mass transit devices, any public places in general. But I 
don't think it is necessary on my home or work networks, where I trust 
no unwanted observer watches all my steps. So per-connection setting 
would be great. However, what servers should it use, when I set 
per-connection setting to true?

I think NM does not accept manual setting of TLS name per each IP. So I 
am unable to enter it in NM connection setting. Is there some way, how 
can I tell systemd-resolve to sometime use predefined set of DNS over 
TLS servers, including the service name? But other time accept anything 
DHCP supplies and do not insist on using DNS over TLS. Of course there 
has to be way to direct network specific domains to local servers from 
DHCP (or manual), not to global DoT upstream.

Is anything like that already implemented? Is the current state in 
NetworkManager-1.38.4 known to be incomplete and only work in progress? 
Is it already formulated somewhere as a vision, how it should work once 
it is finished?

Cheers,
Petr

-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB