Seems like a perfectly legitimate fallback to me. If the DNS server of my ISP is down again (happens once every decade) and then my computer connects to a fallback reasonably trusted by my distribution or otherwise won’t function, then I’d rather have it function. Fedora comes with a huge mirrorlist, and I don’t have to opt-in to every one of those for a functioning computer either.
> [...] and then my computer connects to a fallback reasonably trusted by my distribution or otherwise won’t function, then I’d rather have it function.
I'd rather have it not function, because that way I know something is wrong.
If something breaks somewhere on my network, but my experience stays 'the same', I may miss the fact that something broke because of this 'magic' that occurs behind my back.
If I'm surfing the web, and my browsers hangs with "Looking up news.ycombinator.com..." or returns and error with "Cannot resolve/find server with name example.com.", then I know to start digging into things.
On the other hand, I use HE's tunnelbroker for IPv6 and need to prevent AAAA results for Netflix (which blocks HE IPv6 addresses because in theory someone could evade geographic restrictions on streaming). Easy enough since I run my own DNS server. It sounds like systemd might, without any warning, switch to the fallback servers if something goes wrong, only for someone in my house to complain later on when Netflix is not working (meanwhile the underlying problem goes undetected for who knows how long, because everything is using the fallbacks and nobody notices that something went wrong).
This is a pretty niche edge case: you're enabling a completely unnecessary service and want to tamper with third-party DNS responses, are concerned about something which will only be used if you have multiple DNS servers go down, but don't monitor core network infrastructure or control the settings on those client systems. That's an edge case on an edge case and it's not surprising that they would not prioritize it.
...and the case where DNS servers are not configured by DHCP, not configured statically in NetworkManager or resolve.conf, and not explicitly configured in systemd's own DNS config files, is not an edge case? I am not asking that systemd developer "prioritize" anything -- I am asking that they not introduce some new, counterintuitive logic that unexpectedly breaks things.
But that isn't the only option. You could do that and use Google or systemd could have done the right thing and fallen back on its own recursive resolver. This is basically that worst possible option. I guess it is because it would require more work for systemd.
A fallback should not silently start disclosing your Personally Identifiable Information (IP address in this scenario) to an unrelated third party. It's the law (GDPR).
In the face of failing or missing primary DNS, the system should loudly complain about it, then get authorization from the user to fall back to a default DNS server.
But what about GP's point regarding mirrors? Your IP will be transmitted to potentially a wide range of effectively 3rd party hosts. Looking at my /var/log/dnf.librepo.log I can see requests from a number of hosts, including:
I never explicitly agreed to connect to all of these hosts (some are from repos I did manually enable), and it wasn't made abundantly clear to me during install they would be used. As far as trying to keep GDPR hygiene up, I don't see why this is better than configuring a default DNS server if you're worried about IP address transmission.
There's a huge difference between disclosing your IP and disclosing all the various websites you visit. Moreover, those websites are being disclosed to entities whose commercial business is to track you--for marketing, for performance, w'ever.
Relatedly, your IP is also disclosed via NTP. NTP hosts can be advertised over DHCP, similar to DNS resolvers. And systemd also has built-in fallbacks for NTP, which has actually caused major headaches working on security compliance for U.S. government services because the instances should never use any NTP server other than time.nist.gov. But if time.nist.gov is unavailable for w'ever reason, systemd by default falls back to non-compliant NTP hosts. Disabling this is tricky if you rely on DHCP-advertised NTP servers (which is preferable to minimize the diff between govcloud and non-govcloud deployment images).
