[Bug 1683884] Re: openresolv is less crippled than debian-resolvconf for security-focused configurations

Launchpad Bug Tracker 1683884 at bugs.launchpad.net
Wed Apr 19 16:51:51 UTC 2017 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: resolvconf (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to resolvconf in Ubuntu.
https://bugs.launchpad.net/bugs/1683884

Title:
  openresolv is less crippled than debian-resolvconf for security-
  focused configurations

Status in resolvconf package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu relies on Debian's own "resolvconf" which is vastly inferior to
  Openresolv and makes it impossible to securely set up DNS servers for
  ephemeral secure tunnel interfaces.

  Specifically, Debian's "resolvconf" relies on a hard coded list of
  interface templates. For virtual interfaces or renamed interfaces --
  such as those used for creating secure tunnels -- the DNS entries will
  be lowest priority. This means it's not possible to override the
  current DNS with a DNS bound to particular arbitrarily-named
  interface. In other words, Debian's "resolvconf" explicitly ties
  interface naming templates to interface metrics. Openresolv has the
  `-m` option for this. Using `-m 0` will give an interface's DNS
  servers top priority.

  Secondly, and importantly, Debian's "resolvconf" does not support the
  `-x` option, which specifies that a DNS servers of an interface should
  be the _exclusive_ servers in use. This option is necessary to prevent
  leaking DNS queries over another interface. Even with the
  aforementioned `-m 0` option, an attacker could DoS the top priority
  DNS server in order to leak queries to the second priority DNS server.
  Openresolv's `-x` option fixes this, by allowing marking an interface
  as having "exclusive" control over DNS.

  Therefore, I'd suggest that either:
  a) Ubuntu switch to using Openresolv by default instead of its own "resolvconf". The openresolv package already "Provides: resolvconf",so it should be a drop-in replacement; or
  b) Debian's "resolvconf" backport these useful and necessary features from Openresolv.

  For my specific usage, the recommendation in
  https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1680811
  might work as a fix for the `-m 0` issue, but it is less than ideal
  and does accomplish `-x`. Therefore, I recommend doing either (a) or
  (b), preferably (a).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/resolvconf/+bug/1683884/+subscriptions

More information about the foundations-bugs mailing list