On 8 October 2012 08:27, Mathieu Trudel-Lapierre <mathieu...@ubuntu.com> wrote: > On Sun, Oct 7, 2012 at 3:19 PM, Stéphane Graber <stgra...@ubuntu.com> wrote: >> On 10/07/2012 04:32 AM, Benjamin Kerensa wrote: >>> On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <dan...@quora.org >>> <mailto:dan...@quora.org>> wrote: >>>> >>>> DNS caching was previously disabled [1] when dnsmasq was introduced in >>>> 12.04 (one of the benefits), "to prevent privacy issues, and to >>>> prevent local users from spying on source ports and trivially >>>> performing a birthday attack in order to poison the cache". >>>> >>>> Since dnsmasq eg introduced the standard port-randomisation >>>> mitigations [2] for Birthday attacks in 2008 and related hardening, >>>> what are the other technical reasons we should still keep this >>>> disablement, despite upstream keeping DNS caching enabled? (ie should >>>> upstream also disable DNS caching?) >>>> >>>> Of course, the impact of disabling DNS caching is considerable. > [...] >>> >>> Good points it does look like hardening and addressing some of the >>> concerns has occurred it is possible perhaps that enabling caching was >>> just overlooked but either way it would be nice to see it enabled in 13.04. >> >> dnsmasq still doesn't support per-user caching so it still doesn't meet >> the criteria we discussed with the security team last cycle and as such >> as kept in its current configuration. > > With the small difference that you can now actually enable caching > should you choose to disregard the security implications. You can do > so by adding a file in /etc/NetworkManager/dnsmasq.d containing > "cache-size=n" where n is the size you want to use (default in dnsmasq > is 150, and set to 400 in NM upstream). The name of the file doesn't > matter.
Good tip on the workaround, Mathieu. Looks like this doesn't work in Ubuntu 12.10 pre-release here: # echo cache-size=400 >/etc/NetworkManager/dnsmasq.d/cache <reboot> $ ps -ef | grep dnsmasq nobody 2057 1128 0 11:29 ? 00:00:00 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d Let me know if it would help to raise a bug report, and I'll analyse it. Thanks, Daniel -- Daniel J Blueman -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
