Re: DNS caching disabled for 12.10...still
On Sun, Oct 7, 2012 at 11:35 PM, Daniel J Blueman wrote: [...] > Good tip on the workaround, Mathieu. Looks like this doesn't work in > Ubuntu 12.10 pre-release here: > > # echo cache-size=400 >/etc/NetworkManager/dnsmasq.d/cache > > $ ps -ef | grep dnsmasq > nobody2057 1128 0 11:29 ?00:00:00 /usr/sbin/dnsmasq > --no-resolv --keep-in-foreground --no-hosts --bind-interfaces > --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid > --listen-address=127.0.1.1 --conf-file=/var/run/nm-dns-dnsmasq.conf > --cache-size=0 --proxy-dnssec > --enable-dbus=org.freedesktop.NetworkManager.dnsmasq > --conf-dir=/etc/NetworkManager/dnsmasq.d > You can't see it on the command-line. Things are evaluated in order; command-line parameters first, up to the --conf-dir parameter, and then the files in that directory will be looked at and configuration taken into account. However, it won't change the actual command-line for the application, since it's indeed how it was started. To see the result, you'll want to kill dnsmasq with the SIGUSR1 signal -- this will force it to write out statistics to syslog. This is also the way to list the nameservers used by dnsmasq. Regards, Mathieu Trudel-Lapierre Freenode: cyphermox, Jabber: mathieu...@gmail.com 4096R/EE018C93 1967 8F7D 03A1 8F38 732E FF82 C126 33E1 EE01 8C93 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: DNS caching disabled for 12.10...still
On 8 October 2012 21:10, Mathieu Trudel-Lapierre wrote: > On Sun, Oct 7, 2012 at 11:35 PM, Daniel J Blueman wrote: > [...] >> Good tip on the workaround, Mathieu. Looks like this doesn't work in >> Ubuntu 12.10 pre-release here: >> >> # echo cache-size=400 >/etc/NetworkManager/dnsmasq.d/cache >> >> $ ps -ef | grep dnsmasq >> nobody2057 1128 0 11:29 ?00:00:00 /usr/sbin/dnsmasq >> --no-resolv --keep-in-foreground --no-hosts --bind-interfaces >> --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid >> --listen-address=127.0.1.1 --conf-file=/var/run/nm-dns-dnsmasq.conf >> --cache-size=0 --proxy-dnssec >> --enable-dbus=org.freedesktop.NetworkManager.dnsmasq >> --conf-dir=/etc/NetworkManager/dnsmasq.d > > You can't see it on the command-line. Things are evaluated in order; > command-line parameters first, up to the --conf-dir parameter, and > then the files in that directory will be looked at and configuration > taken into account. However, it won't change the actual command-line > for the application, since it's indeed how it was started. > > To see the result, you'll want to kill dnsmasq with the SIGUSR1 signal > -- this will force it to write out statistics to syslog. This is also > the way to list the nameservers used by dnsmasq. Great; adding this file back in, caching is working as expected. Thanks, Daniel -- Daniel J Blueman -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: DNS caching disabled for 12.10...still
On 8 October 2012 13:24, Jordon Bedwell wrote: > On Sun, Oct 7, 2012 at 10:47 PM, Daniel J Blueman wrote: >> Can you elaborate the specific reasons/mechanisms why without per-user >> caching, dnsmasq is still a security weakness? At least these views >> should be shared upstream so we can work on resolving the issues. > > It's a subjective security issue IMO. Pretty flawed in some cases, in > others it sounds like the guy who only pokes the bear while it's in > the cage and if the cage is nowhere to be found then it's game over, > won't even go near it. What I am saying is for the average user it's > a case of why are you letting them on your PC at all if you do not > have a single ounce of trust and absolutely need per-user caching > because you fear they will attempt to poison you. For other > environments it's another situation but those environments are the > rule apparently and not the exception... even though they are the > minority IMO. Subjective of not, there was a list of reasons which will added up to "let's disable it"; I really think we should get this list (particularly since upstream and other distros allow the caching) and reevaluate. It's too late for the release, sure. Anyone? Daniel -- Daniel J Blueman -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
