On 10/07/2012 04:32 AM, Benjamin Kerensa wrote: > > On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <dan...@quora.org > <mailto:dan...@quora.org>> wrote: >> >> DNS caching was previously disabled [1] when dnsmasq was introduced in >> 12.04 (one of the benefits), "to prevent privacy issues, and to >> prevent local users from spying on source ports and trivially >> performing a birthday attack in order to poison the cache". >> >> Since dnsmasq eg introduced the standard port-randomisation >> mitigations [2] for Birthday attacks in 2008 and related hardening, >> what are the other technical reasons we should still keep this >> disablement, despite upstream keeping DNS caching enabled? (ie should >> upstream also disable DNS caching?) >> >> Of course, the impact of disabling DNS caching is considerable. >> >> Thanks! >> Daniel >> >> [1] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/903854 >> [2] > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002148.html >> -- >> Daniel J Blueman >> > > Good points it does look like hardening and addressing some of the > concerns has occurred it is possible perhaps that enabling caching was > just overlooked but either way it would be nice to see it enabled in 13.04.
dnsmasq still doesn't support per-user caching so it still doesn't meet the criteria we discussed with the security team last cycle and as such as kept in its current configuration. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
