[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
shane at time-travellers.org
Mon Jun 6 01:26:34 UTC 2016
At 2016-06-05 14:29:20 -0400
Paul Wouters <paul at nohats.ca> wrote:
> On Fri, 3 Jun 2016, Phil Regnauld wrote:
> >> ... apparently it doesn't do source port randomization. Ouch.
> >> That's a real step backwards if that's the case.
> > Ok, this was implemented in systemd 220:
> > https://github.com/systemd/systemd/blob/master/NEWS
> > * systemd-resolved now implements RFC5452 to improve resilience against
> > cache poisoning. Additionally, source port randomization is enabled
> > by default to further protect against DNS spoofing attacks.
> systemd-resolved requires a forwarder. It is not a full DNS recursive
> server. So source port randomization is pretty useless as you are most
> likely just doing DNS on the local network.
Minor point: According to Geoff Huston something like 10% of the users
of the world use 220.127.116.11 as their resolver, at least as of a couple
So the idea that stub resolvers talk to DNS on the local network is not
true in hundreds of millions of cases. Adding source port randomization
will help the (admittedly crappy) protection against out-of-path
spoofing for these users.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the dns-operations