On 8 October 2012 03:19, Stéphane Graber <[email protected]> wrote: > On 10/07/2012 04:32 AM, Benjamin Kerensa wrote: >> On Oct 7, 2012 12:28 AM, "Daniel J Blueman" <[email protected] >> <mailto:[email protected]>> wrote: >>> >>> DNS caching was previously disabled [1] when dnsmasq was introduced in >>> 12.04 (one of the benefits), "to prevent privacy issues, and to >>> prevent local users from spying on source ports and trivially >>> performing a birthday attack in order to poison the cache". >>> >>> Since dnsmasq eg introduced the standard port-randomisation >>> mitigations [2] for Birthday attacks in 2008 and related hardening, >>> what are the other technical reasons we should still keep this >>> disablement, despite upstream keeping DNS caching enabled? (ie should >>> upstream also disable DNS caching?) >>> >>> Of course, the impact of disabling DNS caching is considerable. [...] >> Good points it does look like hardening and addressing some of the >> concerns has occurred it is possible perhaps that enabling caching was >> just overlooked but either way it would be nice to see it enabled in 13.04. > > dnsmasq still doesn't support per-user caching so it still doesn't meet > the criteria we discussed with the security team last cycle and as such > as kept in its current configuration.
Presumably per-user caching doesn't solve the root issues though. Can you elaborate the specific reasons/mechanisms why without per-user caching, dnsmasq is still a security weakness? At least these views should be shared upstream so we can work on resolving the issues. Thanks, Daniel -- Daniel J Blueman -- Ubuntu-devel-discuss mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
