It was <2014-11-06 czw 18:56>, when Rafał Krypa wrote: > On 2014-11-06 17:19, Thiago Macieira wrote: >> On Thursday 06 November 2014 14:37:00 Michael Johnson wrote: >>> Hi all, >>> >>> Thank you for your comments. I didn't realize that /etc/resolv.conf >>> was not being used anymore, and I don't think many people do. >>> Geoffroy was correct in that if I set the DNS IPs in that file >>> manually, it gets overwritten after a reboot with the default below. >>> However, if connman generates the resolv.conf file, shouldn't it >>> show the nameservers after they are set, especially if some >>> applications read that file? >> >> Sorry, you're missing the point. Connman *is* the DNS server, so >> applications simply make DNS requests to Connman, which will reply >> with information it has or it will query the nameservers you listed >> for that information. Applications don't need to know what server was >> set in the system and they won't need to watch the file for updates. > > A side note: since Connman is the Tizen's recursive DNS server, it is > quite important from security point of view. Ican strongly bet that it > wasn't considered from such perspective before. > > During quick check I found that Connman is very susceptible to DNS > cache poisoning attacks. It seems to suffer from all aspects of CERT > VU#800113 (http://www.kb.cert.org/vuls/id/800113): > - Sequence numbers for DNS queries are generated simply by random() > function, which is trivial to predict > - All queries are sent from the same source port > - Connman suffers from the birthday attack, issuing multiple simultaneous > queries for the same record
[...] For the record, connman still does not support DNSSEC too, which allows to avoid the above vulnerabilities. At least for the domains that have been signed. -- Łukasz Stelmach Samsung R&D Institute Poland Samsung Electronics
pgpSVY4TG4HuM.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.tizen.org/listinfo/dev
