Red Hat Enterprise Linux 10 released
Red Hat has announced the release of Red Hat Enterprise Linux (RHEL) 10. A blog post accompanying the release provides details on some of the more notable features, such as encrypted DNS, a developer preview of RHEL 10 for RISC-V, and image mode for RHEL using bootc.
Image mode for RHEL lets you deploy your OS as a bootc image to your hardware, virtual machine or cloud, and then layer your app on top of it. That's a far less complex operation than traditional packaged deployments, and it gives developers and image maintainers a common experience and total control over their environment.
RHEL 10 includes the 6.12.0 kernel, GCC 14.2, GNU Binutils 2.41, GNU C Library (glibc) 2.39, Python 3.12, Perl 5.40, and more. See the release notes for a full list of changes. LWN covered CentOS Stream 10 in December, which provided an early look at what would be in the RHEL 10 release.
Posted May 20, 2025 16:13 UTC (Tue)
by tialaramex (subscriber, #21167)
[Link] (22 responses)
DoH is so ordinary today as to be entirely uncontroversial (but welcome of course), but some other features here would be really interesting.
Posted May 20, 2025 16:18 UTC (Tue)
by dskoll (subscriber, #1630)
[Link] (16 responses)
I am not a fan of DoH. While I understand what it's intended to do, it makes things like running a Pi-Hole network-wide ad blocker more difficult, if not impossible. So it's understandable that Google and other advertisers like it.
Posted May 20, 2025 18:02 UTC (Tue)
by zdzichu (subscriber, #17118)
[Link] (15 responses)
Posted May 20, 2025 18:12 UTC (Tue)
by bradfa (subscriber, #71357)
[Link]
Granted, this kind of oppressive network restriction is exactly the reason why DNS over HTTPS is a good thing. When this kind of thing is used to give people access to DNS for "good" reasons it's a big win. But when I'm trying to oppress the ad-serving devices in my own house, I find it frustrating that DoH gets around my restrictions.
Posted May 20, 2025 19:27 UTC (Tue)
by dskoll (subscriber, #1630)
[Link] (13 responses)
The issue is that endpoints can use DoH servers other than the endpoint you provide, in a way that's annoying to block.
I do use use-application-dns.net but that simply asks politely that an endpoint not use DoH... it doesn't enforce it. And while Firefox respects it for now, I imagine there is a fair bit of pressure from advertisers to use DoH as a way to get around DNS-based filtering.
Now, getting around DNS-based filtering such as country-imposed censorship is a good thing, but getting around DNS-based filtering that you want is a bad thing.
If endpoints stop respecting use-application-dns.net then the only practical way to prevent them from looking up domains that you do not want resolved is to block the specific DNS-over-HTTPS servers that they use, and that's a game of whack-a-mole.
Posted May 20, 2025 20:41 UTC (Tue)
by sionescu (subscriber, #59410)
[Link] (1 responses)
For the moment it's much easier than one might think because the DNS endpoints (or any mechanism for bootstrapping such a list) need to be well-known.
Posted May 20, 2025 20:47 UTC (Tue)
by dskoll (subscriber, #1630)
[Link]
The DNS endpoints need to be known to the specific device that's using DNS-over-HTTP.
I would not put it past "Smart TV" manufacturers, for example, to run their own servers that are known only to their devices. Sure, there's a small risk that the endpoints could become unmoored from the servers if the server IPs change before the endpoints can be updated, but as long as one of the IPs keeps working, the endpoints can always get the new list.
Posted May 21, 2025 0:26 UTC (Wed)
by pabs (subscriber, #43278)
[Link] (9 responses)
It sounds like you can't control those endpoints, so you shouldn't trust those endpoints, so you shouldn't provide network access to them?
Posted May 21, 2025 0:30 UTC (Wed)
by pabs (subscriber, #43278)
[Link] (3 responses)
Posted May 21, 2025 0:53 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link]
I would suggest just chucking all of them into a "sewer" VLAN that is isolated from anything else.
Posted May 21, 2025 10:31 UTC (Wed)
by paulj (subscriber, #341)
[Link] (1 responses)
Posted May 21, 2025 12:14 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
You missed that. The network would only be usable for DNS lookups :-)
Cheers,
Posted May 21, 2025 2:41 UTC (Wed)
by dskoll (subscriber, #1630)
[Link] (4 responses)
Sure. If I were a complete purist, I wouldn't run anything on my network that wasn't open source.
But the reality is that (older) Rokus are pretty convenient and cheap streaming devices. I want to give them network access so they can stream videos, but I also want to block them from spying on me or serving ads. I can do both of those things decently with Pi-hole, but if my Roku used DoH with its own DoH servers, it would be much
harder. (This is one reason I'm sticking with a fairly ancient Roku... my model hadn't completely enshittified yet...)
Posted May 21, 2025 2:46 UTC (Wed)
by pabs (subscriber, #43278)
[Link] (3 responses)
Posted May 21, 2025 2:53 UTC (Wed)
by dskoll (subscriber, #1630)
[Link] (2 responses)
Not as far as I know, and at any rate, I doubt a Roku would even support any sort of proxy for its network access.
Posted May 21, 2025 3:13 UTC (Wed)
by pabs (subscriber, #43278)
[Link] (1 responses)
https://github.com/hulu/roku-dev-cli
Posted May 21, 2025 3:15 UTC (Wed)
by dskoll (subscriber, #1630)
[Link]
That's too much tinkering for me. 🙂 I just want to veg out and watch my cat videos. (But this is pretty off-topic from the RHEL 10 announcement, though I guess it's on-topic for why I don't like DoH.)
Posted May 21, 2025 6:40 UTC (Wed)
by Wol (subscriber, #4433)
[Link]
Which is, or should be, illegal. I would think it's a clear breach of the UK CFAA, but of course, just because it's illegal doesn't mean it'll be enforced. Especially if the people breaking it are big boys with money.
Of course, it'll only take one major security breach caused by an ad network that admins blocked, to cause a massive stink and fix this particular problem, but it'll just surface again in a different guise.
Let's hope the security guys make a big enough stink that DoH is disabled by default as a matter of policy ...
Cheers,
Posted May 20, 2025 17:37 UTC (Tue)
by daroc (editor, #160859)
[Link]
Posted May 20, 2025 19:00 UTC (Tue)
by neverpanic (subscriber, #99747)
[Link]
Posted May 22, 2025 9:30 UTC (Thu)
by ab (subscriber, #788)
[Link]
Posted May 23, 2025 9:11 UTC (Fri)
by nim-nim (subscriber, #34454)
[Link] (1 responses)
DoH is very popular with Google and webapp-writers that want to short-circuit other players. Pretty much everyone else just wants classical DNS, with added encryption. Which is why DoH has made the headlines everywhere, while DoT deployment has quietly advanced.
If you try to setup your own DNS stack it becomes ludicrously obvious why it is so. Deploy a DoT-capable DNS server and you’re done things just work. Try to do the same with DoH and you need the same amount of work to setup DoT *plus* some HTTPs config to route the DoH traffic to the right place and avoid stomping on other HTTPS users. And it buys you *nothing* on top of the DoT setup and you can not shut down the DoT setup anyway *because* you’re sure to have a legacy app or appliance somewhere that only speaks classical dns somewhere and is unlikely to change anytime soon and requires you to run a stack able to speak something else than HTTPs.
DoT = x86_64: all the goodies plus backwards compatibility
Posted May 23, 2025 16:25 UTC (Fri)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted May 20, 2025 18:05 UTC (Tue)
by alspnost (guest, #2763)
[Link] (2 responses)
Posted May 20, 2025 20:13 UTC (Tue)
by pbonzini (subscriber, #60935)
[Link] (1 responses)
In fact there are more patches than before because the kernel's so-called "CVEs" are assigned as soon as something remotely looking like a fix appears in Linus's tree, and FedRAMP requires triaging and possibly backporting the fix even if the patch isn't applied to the upstream 6.12 kernel series.
Posted May 20, 2025 23:08 UTC (Tue)
by linuxrocks123 (subscriber, #34648)
[Link]
Posted May 20, 2025 21:34 UTC (Tue)
by dowdle (subscriber, #659)
[Link] (3 responses)
Posted May 21, 2025 12:12 UTC (Wed)
by jzb (editor, #7867)
[Link] (1 responses)
As a rule, we don't usually do briefs for minor releases of RHEL (or Debian, SUSE, Ubuntu, etc.) unless there's something particularly newsworthy about them. We have the impression that those are not of great interest to the majority of readers. (Whereas even if folks aren't, say, RHEL users they may want to keep informed about major releases and the general direction of other distributions...)
Posted May 22, 2025 4:54 UTC (Thu)
by joib (subscriber, #8541)
[Link]
Encrypted DNS
Encrypted DNS
Why more difficult? When you control DNS, it doesn't matter what transport clients use. Or if you don't want to setup your own DOH endpoint, there's always Encrypted DNS
use-application-dns.net.
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
Wol
Encrypted DNS
SOCKS proxy?
SOCKS proxy?
SOCKS proxy?
https://gist.github.com/triwav/deb4b48bec9881f7a07e4da8bb...
https://scribe.rip/https:/medium.com/hulu-tech-blog/autom...
SOCKS proxy?
Encrypted DNS
Wol
Encrypted DNS
Encrypted DNS
Encrypted DNS
Encrypted DNS
DoH = ia64: lots of backwards compatibility problems with little to redeem it over x86_64
Encrypted DNS
Wow, they're actually using an LTS kernel (v6.12) for the first time! Not some weird Frankenkernel, like they usually do. Although I assume there's still a mountain of RH-specific patches piled in there, so it might still be quite different to the vanilla 6.12? Still, looks like a nice release, and hopefully we'll be seeing Rocky 10 in short order.
LTS
LTS
LTS
RHEL 9.6 also released
RHEL 9.6 also released
RHEL 9.6 also released