diff options
| author | Stéphane Graber <stephane.graber@canonical.com> | 2015-10-29 15:12:32 +0100 |
|---|---|---|
| committer | Lubomir Rintel <lkundrak@v3.sk> | 2015-10-30 10:16:49 +0100 |
| commit | e45ddaabafdaa740544ac42fc8430e4b2dc60cad (patch) | |
| tree | a292c609de3da505e8f99369e7524a4c81d54287 | |
| parent | dbb4434fa6ef4a9bee36797e4f4ce19af693d049 (diff) | |
| download | NetworkManager-e45ddaabafdaa740544ac42fc8430e4b2dc60cad.tar.gz | |
Update dnsmasq parameters
Disable caching since it's a potential security issue (local dns cache poisoning).
See also: https://blueprints.launchpad.net/ubuntu/+spec/foundations-p-dns-resolving
| -rw-r--r-- | src/dns-manager/nm-dns-dnsmasq.c | 6 | ||||
| -rw-r--r-- | src/dns-manager/nm-dns-manager.c | 6 |
2 files changed, 6 insertions, 6 deletions
diff --git a/src/dns-manager/nm-dns-dnsmasq.c b/src/dns-manager/nm-dns-dnsmasq.c index 56835b564c..84c2701eb9 100644 --- a/src/dns-manager/nm-dns-dnsmasq.c +++ b/src/dns-manager/nm-dns-dnsmasq.c @@ -274,9 +274,9 @@ start_dnsmasq (NMDnsDnsmasq *self) argv[idx++] = "--no-hosts"; /* don't use /etc/hosts to resolve */ argv[idx++] = "--bind-interfaces"; argv[idx++] = "--pid-file=" PIDFILE; - argv[idx++] = "--listen-address=127.0.0.1"; /* Should work for both 4 and 6 */ + argv[idx++] = "--listen-address=127.0.1.1"; /* Should work for both 4 and 6 */ argv[idx++] = "--conf-file=" CONFFILE; - argv[idx++] = "--cache-size=400"; + argv[idx++] = "--cache-size=0"; argv[idx++] = "--proxy-dnssec"; /* Allow DNSSEC to pass through */ argv[idx++] = "--enable-dbus=" DNSMASQ_DBUS_SERVICE; @@ -368,7 +368,7 @@ update (NMDnsPlugin *plugin, /* If all the configs lists are empty, there is just nothing to be caching -- * we cleared up the dnsmasq cache; but we should also fail the update, so - * that we don't write 127.0.0.1 to resolv.conf. + * that we don't write 127.0.1.1 to resolv.conf. */ if (((vpn_configs && g_slist_length ((GSList *) vpn_configs) < 1) || !vpn_configs) && ((dev_configs && g_slist_length ((GSList *) dev_configs) < 1) || !dev_configs) && diff --git a/src/dns-manager/nm-dns-manager.c b/src/dns-manager/nm-dns-manager.c index 2d12f66e4e..9a03ef28e4 100644 --- a/src/dns-manager/nm-dns-manager.c +++ b/src/dns-manager/nm-dns-manager.c @@ -757,7 +757,7 @@ update_dns (NMDnsManager *self, ; } - /* If caching was successful, we only send 127.0.0.1 to /etc/resolv.conf + /* If caching was successful, we only send 127.0.1.1 to /etc/resolv.conf * to ensure that the glibc resolver doesn't try to round-robin nameservers, * but only uses the local caching nameserver. */ @@ -765,7 +765,7 @@ update_dns (NMDnsManager *self, if (nameservers) g_strfreev (nameservers); nameservers = g_new0 (char*, 2); - nameservers[0] = g_strdup ("127.0.0.1"); + nameservers[0] = g_strdup ("127.0.1.1"); } #ifdef RESOLVCONF_PATH @@ -1205,7 +1205,7 @@ dispose (GObject *object) } /* If we're quitting, leave a valid resolv.conf in place, not one - * pointing to 127.0.0.1 if any plugins were active. Thus update + * pointing to 127.0.1.1 if any plugins were active. Thus update * DNS after disposing of all plugins. But if we haven't done any * DNS updates yet, there's no reason to touch resolv.conf on shutdown. */ |