Well no, Ubuntu is not undecided. We use the systemd implementation of
the resolvconf interfaces now, which works directly with resolved. If
there are features missing there, a task should be opened against
systemd to discuss.
** Changed in: resolvconf (Ubuntu)
Status: Confirmed => Invalid
** Changed in: resolvconf (Ubuntu)
Status: Invalid => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to resolvconf in Ubuntu.
https://bugs.launchpad.net/bugs/1683884
Title:
openresolv is less crippled than debian-resolvconf for security-
focused configurations
Status in resolvconf package in Ubuntu:
Won't Fix
Bug description:
Ubuntu relies on Debian's own "resolvconf" which is vastly inferior to
Openresolv and makes it impossible to securely set up DNS servers for
ephemeral secure tunnel interfaces.
Specifically, Debian's "resolvconf" relies on a hard coded list of
interface templates. For virtual interfaces or renamed interfaces --
such as those used for creating secure tunnels -- the DNS entries will
be lowest priority. This means it's not possible to override the
current DNS with a DNS bound to particular arbitrarily-named
interface. In other words, Debian's "resolvconf" explicitly ties
interface naming templates to interface metrics. Openresolv has the
`-m` option for this. Using `-m 0` will give an interface's DNS
servers top priority.
Secondly, and importantly, Debian's "resolvconf" does not support the
`-x` option, which specifies that a DNS servers of an interface should
be the _exclusive_ servers in use. This option is necessary to prevent
leaking DNS queries over another interface. Even with the
aforementioned `-m 0` option, an attacker could DoS the top priority
DNS server in order to leak queries to the second priority DNS server.
Openresolv's `-x` option fixes this, by allowing marking an interface
as having "exclusive" control over DNS.
Therefore, I'd suggest that either:
a) Ubuntu switch to using Openresolv by default instead of its own
"resolvconf". The openresolv package already "Provides: resolvconf",so it
should be a drop-in replacement; or
b) Debian's "resolvconf" backport these useful and necessary features from
Openresolv.
For my specific usage, the recommendation in
https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1680811
might work as a fix for the `-m 0` issue, but it is less than ideal
and does accomplish `-x`. Therefore, I recommend doing either (a) or
(b), preferably (a).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1683884/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
