From cb456374e096f0ebe9b70d7ddd98e16a4be24ee6 Mon Sep 17 00:00:00 2001 From: Suraj Krishnan <72937403+surajkrishnan14@users.noreply.github.com> Date: Tue, 26 Apr 2022 17:09:02 -0500 Subject: Implement DNS notifications from resolved via varlink * The new varlink interface exposes a method to subscribe to DNS resolutions on the system. The socket permissions are open for owner and group only. * Notifications are sent to subscriber(s), if any, after successful resolution of A and AAAA records. This feature could be used by applications for auditing/logging services downstream of the resolver. It could also be used to asynchronously update the firewall. For example, a system that has a tightly configured firewall could open up connections selectively to known good hosts based on a known allow-list of hostnames. Of course, updating the firewall asynchronously will require other design considerations (such as queueing packets in the user space while a verdict is made). See also: https://lists.freedesktop.org/archives/systemd-devel/2022-August/048202.html https://lists.freedesktop.org/archives/systemd-devel/2022-February/047441.html --- man/resolved.conf.xml | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'man/resolved.conf.xml') diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 3c56b76748..a0ccaec399 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -329,6 +329,15 @@ DNSStubListenerExtra=udp:[2001:db8:0:f102::13]:9953 url="https://www.iab.org/documents/correspondence-reports-documents/2013-2/iab-statement-dotless-domains-considered-harmful/">IAB Statement, and may create a privacy and security risk. + + + Monitor= + Takes a boolean argument. If true, + systemd-resolved will enable a varlink interface at + /run/systemd/resolve/io.systemd.Resolve.Monitor that exposes methods for clients to subscribe to + DNS resolution notifications on the system. If false (the default), the interface is disabled. + + -- cgit v1.2.1