DNS caching disabled for 12.10...still

St├ęphane Graber stgraber at ubuntu.com
Sun Oct 7 19:19:01 UTC 2012


On 10/07/2012 04:32 AM, Benjamin Kerensa wrote:
> 
> On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <daniel at quora.org
> <mailto:daniel at quora.org>> wrote:
>>
>> DNS caching was previously disabled [1] when dnsmasq was introduced in
>> 12.04 (one of the benefits), "to prevent privacy issues, and to
>> prevent local users from spying on source ports and trivially
>> performing a birthday attack in order to poison the cache".
>>
>> Since dnsmasq eg introduced the standard port-randomisation
>> mitigations [2] for Birthday attacks in 2008 and related hardening,
>> what are the other technical reasons we should still keep this
>> disablement, despite upstream keeping DNS caching enabled? (ie should
>> upstream also disable DNS caching?)
>>
>> Of course, the impact of disabling DNS caching is considerable.
>>
>> Thanks!
>>   Daniel
>>
>> [1] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/903854
>> [2]
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002148.html
>> --
>> Daniel J Blueman
>>
> 
> Good points it does look like hardening and addressing some of the
> concerns has occurred it is possible perhaps that enabling caching was
> just overlooked but either way it would be nice to see it enabled in 13.04.

dnsmasq still doesn't support per-user caching so it still doesn't meet
the criteria we discussed with the security team last cycle and as such
as kept in its current configuration.


-- 
St├ęphane Graber
Ubuntu developer
http://www.ubuntu.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20121007/199bc720/attachment.sig>


More information about the Ubuntu-devel-discuss mailing list