DNS caching disabled for 12.10...still
Mathieu Trudel-Lapierre
mathieu-tl at ubuntu.com
Mon Oct 8 00:27:55 UTC 2012
On Sun, Oct 7, 2012 at 3:19 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> On 10/07/2012 04:32 AM, Benjamin Kerensa wrote:
>>
>> On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <daniel at quora.org
>> <mailto:daniel at quora.org>> wrote:
>>>
>>> DNS caching was previously disabled [1] when dnsmasq was introduced in
>>> 12.04 (one of the benefits), "to prevent privacy issues, and to
>>> prevent local users from spying on source ports and trivially
>>> performing a birthday attack in order to poison the cache".
>>>
>>> Since dnsmasq eg introduced the standard port-randomisation
>>> mitigations [2] for Birthday attacks in 2008 and related hardening,
>>> what are the other technical reasons we should still keep this
>>> disablement, despite upstream keeping DNS caching enabled? (ie should
>>> upstream also disable DNS caching?)
>>>
>>> Of course, the impact of disabling DNS caching is considerable.
[...]
>>
>> Good points it does look like hardening and addressing some of the
>> concerns has occurred it is possible perhaps that enabling caching was
>> just overlooked but either way it would be nice to see it enabled in 13.04.
>
> dnsmasq still doesn't support per-user caching so it still doesn't meet
> the criteria we discussed with the security team last cycle and as such
> as kept in its current configuration.
>
With the small difference that you can now actually enable caching
should you choose to disregard the security implications. You can do
so by adding a file in /etc/NetworkManager/dnsmasq.d containing
"cache-size=n" where n is the size you want to use (default in dnsmasq
is 150, and set to 400 in NM upstream). The name of the file doesn't
matter.
Mathieu Trudel-Lapierre <mathieu-tl at ubuntu.com>
Freenode: cyphermox, Jabber: mathieu.tl at gmail.com
4096R/EE018C93 1967 8F7D 03A1 8F38 732E FF82 C126 33E1 EE01 8C93
More information about the Ubuntu-devel-discuss
mailing list