1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
From: =?utf-8?q?St=C3=A9phane_Graber?= <stephane.graber@canonical.com>
Date: Thu, 12 May 2016 22:44:06 +0800
Subject: Update dnsmasq parameters
Disable caching since it's a potential security issue (local dns cache poisoning).
See also: https://blueprints.launchpad.net/ubuntu/+spec/foundations-p-dns-resolving
---
src/dns/nm-dns-dnsmasq.c | 4 ++--
src/dns/nm-dns-manager.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
Index: network-manager-1.20.0/src/dns/nm-dns-dnsmasq.c
===================================================================
--- network-manager-1.20.0.orig/src/dns/nm-dns-dnsmasq.c
+++ network-manager-1.20.0/src/dns/nm-dns-dnsmasq.c
@@ -336,8 +336,8 @@ start_dnsmasq (NMDnsDnsmasq *self)
argv[idx++] = "--no-hosts"; /* don't use /etc/hosts to resolve */
argv[idx++] = "--bind-interfaces";
argv[idx++] = "--pid-file=" PIDFILE;
- argv[idx++] = "--listen-address=127.0.0.1"; /* Should work for both 4 and 6 */
- argv[idx++] = "--cache-size=400";
+ argv[idx++] = "--listen-address=127.0.1.1"; /* Should work for both 4 and 6 */
+ argv[idx++] = "--cache-size=0";
argv[idx++] = "--clear-on-reload"; /* clear cache when dns server changes */
argv[idx++] = "--conf-file=/dev/null"; /* avoid loading /etc/dnsmasq.conf */
argv[idx++] = "--proxy-dnssec"; /* Allow DNSSEC to pass through */
Index: network-manager-1.20.0/src/dns/nm-dns-manager.c
===================================================================
--- network-manager-1.20.0.orig/src/dns/nm-dns-manager.c
+++ network-manager-1.20.0/src/dns/nm-dns-manager.c
@@ -1485,12 +1485,12 @@ update_dns (NMDnsManager *self,
NM_CAST_STRV_CC (nameservers),
NM_CAST_STRV_CC (options));
- /* If caching was successful, we only send 127.0.0.1 to /etc/resolv.conf
+ /* If caching was successful, we only send 127.0.1.1 to /etc/resolv.conf
* to ensure that the glibc resolver doesn't try to round-robin nameservers,
* but only uses the local caching nameserver.
*/
if (caching) {
- const char *lladdr = "127.0.0.1";
+ const char *lladdr = "127.0.1.1";
if (NM_IS_DNS_SYSTEMD_RESOLVED (priv->plugin)) {
/* systemd-resolved uses a different link-local address */
@@ -1832,7 +1832,7 @@ nm_dns_manager_stop (NMDnsManager *self)
_LOGT ("stopping...");
/* If we're quitting, leave a valid resolv.conf in place, not one
- * pointing to 127.0.0.1 if dnsmasq was active. But if we haven't
+ * pointing to 127.0.1.1 if dnsmasq was active. But if we haven't
* done any DNS updates yet, there's no reason to touch resolv.conf
* on shutdown.
*/
|
