DNS caching disabled for 12.10...still
DNS caching was previously disabled [1] when dnsmasq was introduced in 12.04 (one of the benefits), to prevent privacy issues, and to prevent local users from spying on source ports and trivially performing a birthday attack in order to poison the cache. Since dnsmasq eg introduced the standard port-randomisation mitigations [2] for Birthday attacks in 2008 and related hardening, what are the other technical reasons we should still keep this disablement, despite upstream keeping DNS caching enabled? (ie should upstream also disable DNS caching?) Of course, the impact of disabling DNS caching is considerable. Thanks! Daniel [1] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/903854 [2] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002148.html -- Daniel J Blueman -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: DNS caching disabled for 12.10...still
On Oct 7, 2012 12:28 AM, Daniel J Blueman dan...@quora.org wrote: DNS caching was previously disabled [1] when dnsmasq was introduced in 12.04 (one of the benefits), to prevent privacy issues, and to prevent local users from spying on source ports and trivially performing a birthday attack in order to poison the cache. Since dnsmasq eg introduced the standard port-randomisation mitigations [2] for Birthday attacks in 2008 and related hardening, what are the other technical reasons we should still keep this disablement, despite upstream keeping DNS caching enabled? (ie should upstream also disable DNS caching?) Of course, the impact of disabling DNS caching is considerable. Thanks! Daniel [1] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/903854 [2] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002148.html -- Daniel J Blueman Good points it does look like hardening and addressing some of the concerns has occurred it is possible perhaps that enabling caching was just overlooked but either way it would be nice to see it enabled in 13.04. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: DNS caching disabled for 12.10...still
On 10/07/2012 04:32 AM, Benjamin Kerensa wrote: On Oct 7, 2012 12:28 AM, Daniel J Blueman dan...@quora.org mailto:dan...@quora.org wrote: DNS caching was previously disabled [1] when dnsmasq was introduced in 12.04 (one of the benefits), to prevent privacy issues, and to prevent local users from spying on source ports and trivially performing a birthday attack in order to poison the cache. Since dnsmasq eg introduced the standard port-randomisation mitigations [2] for Birthday attacks in 2008 and related hardening, what are the other technical reasons we should still keep this disablement, despite upstream keeping DNS caching enabled? (ie should upstream also disable DNS caching?) Of course, the impact of disabling DNS caching is considerable. Thanks! Daniel [1] https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/903854 [2] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002148.html -- Daniel J Blueman Good points it does look like hardening and addressing some of the concerns has occurred it is possible perhaps that enabling caching was just overlooked but either way it would be nice to see it enabled in 13.04. dnsmasq still doesn't support per-user caching so it still doesn't meet the criteria we discussed with the security team last cycle and as such as kept in its current configuration. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: DNS caching disabled for 12.10...still
On Sun, Oct 7, 2012 at 3:19 PM, Stéphane Graber stgra...@ubuntu.com wrote: On 10/07/2012 04:32 AM, Benjamin Kerensa wrote: On Oct 7, 2012 12:28 AM, Daniel J Blueman dan...@quora.org mailto:dan...@quora.org wrote: DNS caching was previously disabled [1] when dnsmasq was introduced in 12.04 (one of the benefits), to prevent privacy issues, and to prevent local users from spying on source ports and trivially performing a birthday attack in order to poison the cache. Since dnsmasq eg introduced the standard port-randomisation mitigations [2] for Birthday attacks in 2008 and related hardening, what are the other technical reasons we should still keep this disablement, despite upstream keeping DNS caching enabled? (ie should upstream also disable DNS caching?) Of course, the impact of disabling DNS caching is considerable. [...] Good points it does look like hardening and addressing some of the concerns has occurred it is possible perhaps that enabling caching was just overlooked but either way it would be nice to see it enabled in 13.04. dnsmasq still doesn't support per-user caching so it still doesn't meet the criteria we discussed with the security team last cycle and as such as kept in its current configuration. With the small difference that you can now actually enable caching should you choose to disregard the security implications. You can do so by adding a file in /etc/NetworkManager/dnsmasq.d containing cache-size=n where n is the size you want to use (default in dnsmasq is 150, and set to 400 in NM upstream). The name of the file doesn't matter. Mathieu Trudel-Lapierre mathieu...@ubuntu.com Freenode: cyphermox, Jabber: mathieu...@gmail.com 4096R/EE018C93 1967 8F7D 03A1 8F38 732E FF82 C126 33E1 EE01 8C93 -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: DNS caching disabled for 12.10...still
On 8 October 2012 08:27, Mathieu Trudel-Lapierre mathieu...@ubuntu.com wrote: On Sun, Oct 7, 2012 at 3:19 PM, Stéphane Graber stgra...@ubuntu.com wrote: On 10/07/2012 04:32 AM, Benjamin Kerensa wrote: On Oct 7, 2012 12:28 AM, Daniel J Blueman dan...@quora.org mailto:dan...@quora.org wrote: DNS caching was previously disabled [1] when dnsmasq was introduced in 12.04 (one of the benefits), to prevent privacy issues, and to prevent local users from spying on source ports and trivially performing a birthday attack in order to poison the cache. Since dnsmasq eg introduced the standard port-randomisation mitigations [2] for Birthday attacks in 2008 and related hardening, what are the other technical reasons we should still keep this disablement, despite upstream keeping DNS caching enabled? (ie should upstream also disable DNS caching?) Of course, the impact of disabling DNS caching is considerable. [...] Good points it does look like hardening and addressing some of the concerns has occurred it is possible perhaps that enabling caching was just overlooked but either way it would be nice to see it enabled in 13.04. dnsmasq still doesn't support per-user caching so it still doesn't meet the criteria we discussed with the security team last cycle and as such as kept in its current configuration. With the small difference that you can now actually enable caching should you choose to disregard the security implications. You can do so by adding a file in /etc/NetworkManager/dnsmasq.d containing cache-size=n where n is the size you want to use (default in dnsmasq is 150, and set to 400 in NM upstream). The name of the file doesn't matter. Good tip on the workaround, Mathieu. Looks like this doesn't work in Ubuntu 12.10 pre-release here: # echo cache-size=400 /etc/NetworkManager/dnsmasq.d/cache reboot $ ps -ef | grep dnsmasq nobody2057 1128 0 11:29 ?00:00:00 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d Let me know if it would help to raise a bug report, and I'll analyse it. Thanks, Daniel -- Daniel J Blueman -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: DNS caching disabled for 12.10...still
On 8 October 2012 03:19, Stéphane Graber stgra...@ubuntu.com wrote: On 10/07/2012 04:32 AM, Benjamin Kerensa wrote: On Oct 7, 2012 12:28 AM, Daniel J Blueman dan...@quora.org mailto:dan...@quora.org wrote: DNS caching was previously disabled [1] when dnsmasq was introduced in 12.04 (one of the benefits), to prevent privacy issues, and to prevent local users from spying on source ports and trivially performing a birthday attack in order to poison the cache. Since dnsmasq eg introduced the standard port-randomisation mitigations [2] for Birthday attacks in 2008 and related hardening, what are the other technical reasons we should still keep this disablement, despite upstream keeping DNS caching enabled? (ie should upstream also disable DNS caching?) Of course, the impact of disabling DNS caching is considerable. [...] Good points it does look like hardening and addressing some of the concerns has occurred it is possible perhaps that enabling caching was just overlooked but either way it would be nice to see it enabled in 13.04. dnsmasq still doesn't support per-user caching so it still doesn't meet the criteria we discussed with the security team last cycle and as such as kept in its current configuration. Presumably per-user caching doesn't solve the root issues though. Can you elaborate the specific reasons/mechanisms why without per-user caching, dnsmasq is still a security weakness? At least these views should be shared upstream so we can work on resolving the issues. Thanks, Daniel -- Daniel J Blueman -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: DNS caching disabled for 12.10...still
On Sun, Oct 7, 2012 at 10:47 PM, Daniel J Blueman dan...@quora.org wrote: Can you elaborate the specific reasons/mechanisms why without per-user caching, dnsmasq is still a security weakness? At least these views should be shared upstream so we can work on resolving the issues. It's a subjective security issue IMO. Pretty flawed in some cases, in others it sounds like the guy who only pokes the bear while it's in the cage and if the cage is nowhere to be found then it's game over, won't even go near it. What I am saying is for the average user it's a case of why are you letting them on your PC at all if you do not have a single ounce of trust and absolutely need per-user caching because you fear they will attempt to poison you. For other environments it's another situation but those environments are the rule apparently and not the exception... even though they are the minority IMO. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss