Do not use non-core systemd

Posted Sep 26, 2025 0:19 UTC (Fri) by intelfx (subscriber, #130118)
In reply to: Do not use non-core systemd by mathstuf
Parent article: An unstable Debian stable update

> I have to reconfigure resolved (via `/etc/nsswitch.conf`) because it causes network namespace leakage. If I have a network namespace jailed to a VPN <...>
>
> Is there some configuration magic around to handle this that you know of?

I don't think systemd-resolved is network namespace aware, and I'm not familiar with any tricks in that area. But that's a hugely niche use-case, and not what I was defending. Normal "split DNS" is when you have multiple network interfaces with disjoint sets of routes in a single network namespace.

Do not use non-core systemd

Posted Sep 26, 2025 3:17 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (1 responses)

Ah. I think of network namespacing tricks as a way to get split DNS without actually allowing a process to route over both at once. But perhaps I'm just doing something "more" than "just" split DNS then. In any case, I've found a block tower setup that works to my satisfaction; I'm more looking for ways to put more mortar around the base rather than "don't look at it sideways too hard" stability.

Do not use non-core systemd

Posted Sep 26, 2025 8:38 UTC (Fri) by nim-nim (subscriber, #34454) [Link]

The usual use case for split dns is a backend network with private resources, and a hardened front end network for remote access. This kind of setup to work pretty much requires dual routing (and one could route remote connexions via the backend link but that would defeat the purpose of isolating untrusted traffic on a heavily audited frontend network).