DNS caching disabled for 12.10...still
stgraber at ubuntu.com
Sun Oct 7 19:19:01 UTC 2012
On 10/07/2012 04:32 AM, Benjamin Kerensa wrote:
> On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <daniel at quora.org
> <mailto:daniel at quora.org>> wrote:
>> DNS caching was previously disabled  when dnsmasq was introduced in
>> 12.04 (one of the benefits), "to prevent privacy issues, and to
>> prevent local users from spying on source ports and trivially
>> performing a birthday attack in order to poison the cache".
>> Since dnsmasq eg introduced the standard port-randomisation
>> mitigations  for Birthday attacks in 2008 and related hardening,
>> what are the other technical reasons we should still keep this
>> disablement, despite upstream keeping DNS caching enabled? (ie should
>> upstream also disable DNS caching?)
>> Of course, the impact of disabling DNS caching is considerable.
>>  https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/903854
>> Daniel J Blueman
> Good points it does look like hardening and addressing some of the
> concerns has occurred it is possible perhaps that enabling caching was
> just overlooked but either way it would be nice to see it enabled in 13.04.
dnsmasq still doesn't support per-user caching so it still doesn't meet
the criteria we discussed with the security team last cycle and as such
as kept in its current configuration.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 897 bytes
Desc: OpenPGP digital signature
More information about the Ubuntu-devel-discuss