If DNS caching is being disabled in dnsmasq, what value is being had from using dnsmasq by default with network connections? Seems like it just presents another potential failure point.

On 10/07/2012 09:19 AM, Stéphane Graber wrote:
On 10/07/2012 04:32 AM, Benjamin Kerensa wrote:
On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <dan...@quora.org
<mailto:dan...@quora.org>> wrote:
DNS caching was previously disabled [1] when dnsmasq was introduced in
12.04 (one of the benefits), "to prevent privacy issues, and to
prevent local users from spying on source ports and trivially
performing a birthday attack in order to poison the cache".

Since dnsmasq eg introduced the standard port-randomisation
mitigations [2] for Birthday attacks in 2008 and related hardening,
what are the other technical reasons we should still keep this
disablement, despite upstream keeping DNS caching enabled? (ie should
upstream also disable DNS caching?)

Of course, the impact of disabling DNS caching is considerable.

Thanks!
   Daniel

[1] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/903854
[2]
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002148.html
--
Daniel J Blueman

Good points it does look like hardening and addressing some of the
concerns has occurred it is possible perhaps that enabling caching was
just overlooked but either way it would be nice to see it enabled in 13.04.
dnsmasq still doesn't support per-user caching so it still doesn't meet
the criteria we discussed with the security team last cycle and as such
as kept in its current configuration.





-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Reply via email to