[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Paul Wouters paul at nohats.ca
Mon Jun 6 03:41:12 UTC 2016

On Mon, 6 Jun 2016, Shane Kerr wrote:

>> systemd-resolved requires a forwarder. It is not a full DNS recursive
>> server. So source port randomization is pretty useless as you are most
>> likely just doing DNS on the local network.
> Minor point: According to Geoff Huston something like 10% of the users
> of the world use as their resolver, at least as of a couple
> years ago:
> http://www.potaroo.net/ispcol/2014-11/resolvers.html
> So the idea that stub resolvers talk to DNS on the local network is not
> true in hundreds of millions of cases. Adding source port randomization
> will help the (admittedly crappy) protection against out-of-path
> spoofing for these users.

But those users are also mostly behind NAT, which undoes the port
randomization. But far enough, it surely won't hurt to try.


More information about the dns-operations mailing list