Systemd falls back to Google nameservers when no nameservers are configured

Google's DNS is in there to ease testing.

Which is an incorrect method of testing. You never volunteer someone else's systems for such purposes, even those that are open-access without written permission. Even if seemingly they have unlimited resources.

I routinely think back to the Snapchat NTP bug that saw some NTP Pool member servers being effectively DDoSed by Snapchat users with NTP queries, many of us pool operators couldn't immediately figure out whose code was causing this. It took us quite some time to track down the cause (it was an all-hands-on-deck good 2-3+ days). NTP and DNS have no way to track what client software is using your server.

Get this: It was caused by a bad library used by Snapchat that had the NTP pool as defaults (see why developer-issued server defaults are bad, even for "testing"?). But thankfully the Snapchat devs were extremely courteous and pushed an immediate fix once they were contacted. Systemd's people on the other hand, haven't been as courteous historically to operators, often demanding special treatment, etc.

Systemd's people should use a specially configured test resolver controlled by the themselves exclusively for testing that only resolves a given set of domain names, but not the entire DNS space. This means if those testing values make it into public usage, it's obvious what happened. If your testing defaults are fully functional, it must be assumed that it will inevitably leak into the public space and become de-facto production as there's bigger fish to fry at that point and there's no incentive to change them. Momentum on these things starts at the developer's code editor.

As someone who runs networks, I can attest developers can dramatically under-estimate the damage malfunctioning networking code can do when it's focused on one group or organization. All it takes is one bug and their software is now a botnet.

/r/linux Thread Parent Link - bugs.debian.org