[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10
Paul Wouters
paul at nohats.ca
Mon Jun 6 03:41:12 UTC 2016
On Mon, 6 Jun 2016, Shane Kerr wrote:
>> systemd-resolved requires a forwarder. It is not a full DNS recursive
>> server. So source port randomization is pretty useless as you are most
>> likely just doing DNS on the local network.
>
> Minor point: According to Geoff Huston something like 10% of the users
> of the world use 8.8.8.8 as their resolver, at least as of a couple
> years ago:
>
> http://www.potaroo.net/ispcol/2014-11/resolvers.html
>
> So the idea that stub resolvers talk to DNS on the local network is not
> true in hundreds of millions of cases. Adding source port randomization
> will help the (admittedly crappy) protection against out-of-path
> spoofing for these users.
But those users are also mostly behind NAT, which undoes the port
randomization. But far enough, it surely won't hurt to try.
Paul
More information about the dns-operations
mailing list