[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
Shane Kerr
shane at time-travellers.org
Mon Jun 6 01:26:34 UTC 2016
Paul,
At 2016-06-05 14:29:20 -0400
Paul Wouters <paul at nohats.ca> wrote:
> On Fri, 3 Jun 2016, Phil Regnauld wrote:
>
> >> ... apparently it doesn't do source port randomization. Ouch.
> >>
> >> That's a real step backwards if that's the case.
> >
> > Ok, this was implemented in systemd 220:
> >
> > https://github.com/systemd/systemd/blob/master/NEWS
> >
> > * systemd-resolved now implements RFC5452 to improve resilience against
> > cache poisoning. Additionally, source port randomization is enabled
> > by default to further protect against DNS spoofing attacks.
>
> systemd-resolved requires a forwarder. It is not a full DNS recursive
> server. So source port randomization is pretty useless as you are most
> likely just doing DNS on the local network.
Minor point: According to Geoff Huston something like 10% of the users
of the world use 8.8.8.8 as their resolver, at least as of a couple
years ago:
http://www.potaroo.net/ispcol/2014-11/resolvers.html
So the idea that stub resolvers talk to DNS on the local network is not
true in hundreds of millions of cases. Adding source port randomization
will help the (admittedly crappy) protection against out-of-path
spoofing for these users.
Cheers,
--
Shane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160606/2da57959/attachment.sig>
More information about the dns-operations
mailing list