12.04 running DNSMASQ by default

[haqking]

in 12.04 dnsmasq is now running by default due to being hardcoded into network manager.

Potentially bad idea (ever heard of DNS cache poisoning or MITM attacks ?)

12.04 Release Notes

5th Bullet Point.

Its built into Network manager now.

Running a local DNS caching server where your resolver is localhost or 127.0.01 may speed up DNS resolution but may also pose potential security risks.

You may do the following to disable it if you dont want it used, though it doesnt appear it to be caching by default (you can test with the dig command)


so

Code:

sudo nano /etc/NetworkManager/NetworkManager.conf

(the above is case sensitive so capital N)

and comment out the

Code:

dns=dnsmasq

line then do a

Code:

sudo restart network-manager

Peace

[Dangertux]

*shakes head*

Yeah...Umm I am a little disappointed in this, all I can say is that Canonical was on drugs with this one.

That's good advice haqking

[CharlesA]

I'm not really sure why they decided to do this anyhow, seeing as DNS lookups are pretty quick to begin with and most web browsers prefetch and cache addresses.

Thanks for the workaround, haqking.

[mdeslaur]

Dnsmasq is running with caching disabled. There is no security risk.

[Dangertux]

Dnsmasq is running with caching disabled. There is no security risk.

Source on this?

EDIT : Nevermind found one for you : http://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/

If that is the case -- then I have had my faith slightly restored, though I still think it was a stupid move. There are other issues with dnsmasq *cough* TFTP/pxe...

[CharlesA]

Source on this?

EDIT : Nevermind found one for you : http://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/

If that is the case -- then I have had my faith slightly restored, though I still think it was a stupid move. There are other issues with dnsmasq *cough* TFTP/pxe...

Saw it mentioned here:

http://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/

It's at bullet number 5 in the page Haqking linked to.

EDIT: Ninja'd me.

[mdeslaur]

If you believe there are other security issues with the use of dnsmasq, please file a bug detailing the issue and the exact attack scenario. Thanks.

[josephmills]

after reading this
https://bugs.launchpad.net/ubuntu/+s...sp/+bug/955785
and
https://bugs.launchpad.net/ubuntu/+s...er/+bug/959037

I wanted too take it down as it is a ugly hack and there is movement all ready

[yodermk]

Thanks. Upon upgrade I could not resolve DNS at all with this. I had previously configured unbound for local DNS to get by stupid Time Warner's NXDOMAIN hijacking. I was scratching my head trying to figure out how to stop dnsmasq from starting.

[Ms. Daisy]

Source on this?

EDIT : Nevermind found one for you : http://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/

If that is the case -- then I have had my faith slightly restored, though I still think it was a stupid move. There are other issues with dnsmasq *cough* TFTP/pxe...

OK, so help out us humans that don't really understand the details of how DNS cache poisoning or MITM attacks are carried out. Have you downgraded the threat level based on that link? Or is it still significant enough that everyone should implement the workaround?