On Sun, Oct 7, 2012 at 3:19 PM, Stéphane Graber <stgra...@ubuntu.com> wrote: > On 10/07/2012 04:32 AM, Benjamin Kerensa wrote: >> >> On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <dan...@quora.org >> <mailto:dan...@quora.org>> wrote: >>> >>> DNS caching was previously disabled [1] when dnsmasq was introduced in >>> 12.04 (one of the benefits), "to prevent privacy issues, and to >>> prevent local users from spying on source ports and trivially >>> performing a birthday attack in order to poison the cache". >>> >>> Since dnsmasq eg introduced the standard port-randomisation >>> mitigations [2] for Birthday attacks in 2008 and related hardening, >>> what are the other technical reasons we should still keep this >>> disablement, despite upstream keeping DNS caching enabled? (ie should >>> upstream also disable DNS caching?) >>> >>> Of course, the impact of disabling DNS caching is considerable. [...] >> >> Good points it does look like hardening and addressing some of the >> concerns has occurred it is possible perhaps that enabling caching was >> just overlooked but either way it would be nice to see it enabled in 13.04. > > dnsmasq still doesn't support per-user caching so it still doesn't meet > the criteria we discussed with the security team last cycle and as such > as kept in its current configuration. >
With the small difference that you can now actually enable caching should you choose to disregard the security implications. You can do so by adding a file in /etc/NetworkManager/dnsmasq.d containing "cache-size=n" where n is the size you want to use (default in dnsmasq is 150, and set to 400 in NM upstream). The name of the file doesn't matter. Mathieu Trudel-Lapierre <mathieu...@ubuntu.com> Freenode: cyphermox, Jabber: mathieu...@gmail.com 4096R/EE018C93 1967 8F7D 03A1 8F38 732E FF82 C126 33E1 EE01 8C93 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
