diff options
| author | Suraj Krishnan <72937403+surajkrishnan14@users.noreply.github.com> | 2022-04-26 17:09:02 -0500 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2022-09-09 09:22:57 +0100 |
| commit | cb456374e096f0ebe9b70d7ddd98e16a4be24ee6 (patch) | |
| tree | 514bb0753834490ab81e8a21669abe28ba66205a /man/resolved.conf.xml | |
| parent | 761787fc88aff81f3e97da07ac829f431479fe0b (diff) | |
| download | systemd-cb456374e096f0ebe9b70d7ddd98e16a4be24ee6.tar.gz | |
Implement DNS notifications from resolved via varlink
* The new varlink interface exposes a method to subscribe to DNS
resolutions on the system. The socket permissions are open for owner and
group only.
* Notifications are sent to subscriber(s), if any, after successful
resolution of A and AAAA records.
This feature could be used by applications for auditing/logging services
downstream of the resolver. It could also be used to asynchronously
update the firewall. For example, a system that has a tightly configured
firewall could open up connections selectively to known good hosts based
on a known allow-list of hostnames. Of course, updating the firewall
asynchronously will require other design considerations (such as
queueing packets in the user space while a verdict is made).
See also:
https://lists.freedesktop.org/archives/systemd-devel/2022-August/048202.html
https://lists.freedesktop.org/archives/systemd-devel/2022-February/047441.html
Diffstat (limited to 'man/resolved.conf.xml')
| -rw-r--r-- | man/resolved.conf.xml | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 3c56b76748..a0ccaec399 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -329,6 +329,15 @@ DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953</programlisting> url="https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/">IAB Statement</ulink>, and may create a privacy and security risk.</para></listitem> </varlistentry> + + <varlistentry> + <term><varname>Monitor=</varname></term> + <listitem><para>Takes a boolean argument. If <literal>true</literal>, + <command>systemd-resolved</command> will enable a varlink interface at + <filename>/run/systemd/resolve/io.systemd.Resolve.Monitor</filename> that exposes methods for clients to subscribe to + DNS resolution notifications on the system. If <literal>false</literal> (the default), the interface is disabled. + </para></listitem> + </varlistentry> </variablelist> </refsect1> |