[systemd-devel] Will *.network replace resolv.conf? What about "Options single-request"?
Lennart Poettering
lennart at poettering.net
Mon May 18 09:59:56 PDT 2015
On Fri, 15.05.15 23:01, Christian Brunotte (cb at lathspell.de) wrote:
> > Lennart Poettering <lennart at poettering.net> hat am 15. Mai 2015 um 21:59
> > geschrieben:
> >
> >
> > On Mon, 04.05.15 14:57, Christian Brunotte (cb at lathspell.de) wrote:
> >
> > > Hello
> > >
> > > systemd.network(5) with Options like "DNS=" and "Domains=" looks like
> > > /etc/resolv.conf will soon be superfluous.
> > >
> > > If that's the plan, I wonder what happens to "options single-request"
> > > which I had to use on all IPv6 enabled devices. Is "ResolveOptions" just
> > > missing in Systemd or considered so "special" that will stay in libc's
> > > resolv.conf?
> >
> > What kind of bugs does this really solve?
> > DNS servers that can only process one request per client at a time?
>
> Firewalls notice outgoing UDP packets and allow response packets only within a
> configured "UDP session timeout" time span. They need this timeout as UDP has
> no opening and closing handshake like TCP. Some firewalls with "application
> layer
> gateways" try to be especially clever and "understand" that a DNS request packet
> only gets exactly one DNS response packet after which they can safely close this
> port. In the case of a IPv4+IPv6 dual stack system that is no longer the case,
> though.
> The resolver can send one DNS request packet (IPv4 or IPv6 doesn't matter) that
> contains
> queries for both the A and AAAA entries and the resolver may answer them in
> separate packets.
> Once the first one passes the firewall, the port is closed though. The requestor
> now has to wait
> some seconds in the hope that he gets the second packet - which
> never happens.
Well, this is not possible with DNS (see other mail). But maybe this
really is about doing multiple parallel DNS queries from the same source IP +
port.
Right now all queries resolved does originate from the same IP
port. It has been requested to change this and use a new port number
for every single request, so that the 16 bit of the port can add to
the entropy when attackers want to guess DNS transaction credentials.
I wonder if we implement that if this might as side-effect also make
us more compatible with such firewalls, since unlike glibc we'd then
also have the A and AAAA requests come from a different IP/port pair...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list