DNS caching disabled for 12.10...still
Daniel J Blueman
daniel at quora.org
Mon Oct 8 03:47:18 UTC 2012
On 8 October 2012 03:19, Stéphane Graber <stgraber at ubuntu.com> wrote:
> On 10/07/2012 04:32 AM, Benjamin Kerensa wrote:
>> On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <daniel at quora.org
>> <mailto:daniel at quora.org>> wrote:
>>>
>>> DNS caching was previously disabled [1] when dnsmasq was introduced in
>>> 12.04 (one of the benefits), "to prevent privacy issues, and to
>>> prevent local users from spying on source ports and trivially
>>> performing a birthday attack in order to poison the cache".
>>>
>>> Since dnsmasq eg introduced the standard port-randomisation
>>> mitigations [2] for Birthday attacks in 2008 and related hardening,
>>> what are the other technical reasons we should still keep this
>>> disablement, despite upstream keeping DNS caching enabled? (ie should
>>> upstream also disable DNS caching?)
>>>
>>> Of course, the impact of disabling DNS caching is considerable.
[...]
>> Good points it does look like hardening and addressing some of the
>> concerns has occurred it is possible perhaps that enabling caching was
>> just overlooked but either way it would be nice to see it enabled in 13.04.
>
> dnsmasq still doesn't support per-user caching so it still doesn't meet
> the criteria we discussed with the security team last cycle and as such
> as kept in its current configuration.
Presumably per-user caching doesn't solve the root issues though.
Can you elaborate the specific reasons/mechanisms why without per-user
caching, dnsmasq is still a security weakness? At least these views
should be shared upstream so we can work on resolving the issues.
Thanks,
Daniel
--
Daniel J Blueman
More information about the Ubuntu-devel-discuss
mailing list