[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

[Peter van Dijk]

Hello Paul,

On 5 Jun 2016, at 20:29, Paul Wouters wrote:

> On Fri, 3 Jun 2016, Phil Regnauld wrote:
>
> systemd-resolved requires a forwarder. It is not a full DNS recursive
> server. So source port randomization is pretty useless as you are most
> likely just doing DNS on the local network.

As others said, many machines are pointed at 8.8.8.8, providing a clear 
‘outside’ path for attackers to sit on (or ‘off’). Source port 
randomisation is very useful in this case because systemd-resolved also 
caches, and thus is much more prone to poisoning than a simple stub like 
the one in libc is.

As for the NAT argument I read somewhere in the thread, yes, NAT often 
demolishes your randomised ports. But machines behind NAT are not the 
primary audience for a spoofing attack (and besides, “some networks 
will derandomise your ports” is not a real argument against 
randomisation). Machines out on the Internet, that you can convince to 
do queries for you (like by talking to their SMTP for a bit) are the 
audience, and those will benefit hugely from port randomisation between 
systems-resolved and their upstream resolver (which often is 8.8.8.8 
these days, even for servers!).

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/