systemd-resolved uses domain limited DNS servers for all requests potentially a privacy issue

Bug #1588230 reported by Andy Whitcroft
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
systemd
Fix Released
Unknown
systemd (Ubuntu)
Fix Released
Medium
Martin Pitt

Bug Description

When configuring a DNS server for a link for specific domains (via the Domains= ~foo syntax) systemd-resolved correctly routes requests for those domains to that DNS server. However even without ~. on the list it also routes all other requests there (and in parallel to the primary servers) appearing to pick the fastest responder. This (to my mind) represents a privacy issue as requests that that DNS server is not intended to see are routed there.

I would have expected the ~. syntax to allow me to request this behaviour and in its absence to not see general requests routed to these servers.

Tags: resolved
Revision history for this message
Martin Pitt (pitti) wrote :

To illustrate: if I have a global DNS server 1.1.1.1, and a VPN networkd device with

   DNS=2.2.2.2
   Domains= ~company

Then trying to resolve google.com should *only* hit 1.1.1.1, not 2.2.2.2.

If OTOH I would have configured

   Domains= ~company ~.

then it's okay to hit both.

Martin Pitt (pitti)
Changed in systemd (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Martin Pitt (pitti) wrote :

Confirmed, and forwarded upstream: https://github.com/systemd/systemd/issues/3421

tags: added: resolved
Martin Pitt (pitti)
Changed in systemd (Ubuntu):
milestone: none → ubuntu-16.10
assignee: nobody → Martin Pitt (pitti)
Martin Pitt (pitti)
Changed in systemd (Ubuntu):
status: Triaged → Fix Committed
Changed in systemd:
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package systemd - 231-9

---------------
systemd (231-9) unstable; urgency=medium

  * pid1: process zero-length notification messages again.
    Just remove the assertion, the "n" value was not used anyway. This fixes
    a local DoS due to unprocessed/unclosed fds which got introduced by the
    previous fix. (Closes: #839171) (LP: #1628687)
  * pid1: Robustify manager_dispatch_notify_fd()
  * test/networkd-test.py: Add missing writeConfig() helper function.

 -- Martin Pitt <email address hidden> Thu, 29 Sep 2016 23:39:24 +0200

Changed in systemd (Ubuntu):
status: Fix Committed → Fix Released
Changed in systemd:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.