[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
Mark Andrews
marka at isc.org
Mon Jun 6 01:51:03 UTC 2016
In message <20160606092634.32fddbf7 at pallas.home.time-travellers.org>, Shane Kerr writes:
> Paul,
>
> At 2016-06-05 14:29:20 -0400
> Paul Wouters <paul at nohats.ca> wrote:
>
> > On Fri, 3 Jun 2016, Phil Regnauld wrote:
> >
> > >> ... apparently it doesn't do source port randomization. Ouch.
> > >>
> > >> That's a real step backwards if that's the case.
> > >
> > > Ok, this was implemented in systemd 220:
> > >
> > > https://github.com/systemd/systemd/blob/master/NEWS
> > >
> > > * systemd-resolved now implements RFC5452 to improve resilience against
> > > cache poisoning. Additionally, source port randomization is enabled
> > > by default to further protect against DNS spoofing attacks.
> >
> > systemd-resolved requires a forwarder. It is not a full DNS recursive
> > server. So source port randomization is pretty useless as you are most
> > likely just doing DNS on the local network.
>
> Minor point: According to Geoff Huston something like 10% of the users
> of the world use 8.8.8.8 as their resolver, at least as of a couple
> years ago:
>
> http://www.potaroo.net/ispcol/2014-11/resolvers.html
>
> So the idea that stub resolvers talk to DNS on the local network is not
> true in hundreds of millions of cases. Adding source port randomization
> will help the (admittedly crappy) protection against out-of-path
> spoofing for these users.
Adding DNS COOKIE support (RFC 7873) will do a even better job and
help with other issues. With working DNS COOKIE support you don't
need to do port randomisation.
Mark
> Cheers,
>
> --
> Shane
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list