Debian Bug report logs - #860564
openresolv is less crippled than debian-resolvconf for security-focused configurations

Package: resolvconf; Maintainer for resolvconf is resolvconf maintainers <resolvconf-devel@lists.alioth.debian.org>; Source for resolvconf is src:resolvconf (PTS, buildd, popcon).

Reported by: "Jason A. Donenfeld" <Jason@zx2c4.com>

Date: Tue, 18 Apr 2017 17:45:01 UTC

Severity: normal

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, resolvconf maintainers <resolvconf-devel@lists.alioth.debian.org>:
Bug#860564; Package resolvconf. (Tue, 18 Apr 2017 17:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Jason A. Donenfeld" <Jason@zx2c4.com>:
New Bug report received and forwarded. Copy sent to resolvconf maintainers <resolvconf-devel@lists.alioth.debian.org>. (Tue, 18 Apr 2017 17:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: submit@bugs.debian.org
Subject: openresolv is less crippled than debian-resolvconf for security-focused configurations
Date: Tue, 18 Apr 2017 19:36:07 +0200
Package: resolvconf

Debian has its own "resolvconf" which is vastly inferior and makes it
impossible to securely set up DNS servers for ephemeral secure tunnel
interfaces.

Specifically, Debian's "resolvconf" relies on a hard coded list of
interface templates. For virtual interfaces or renamed interfaces --
such as those used for creating secure tunnels -- the DNS entries will
be lowest priority. This means it's not possible to override the
current DNS with a DNS bound to particular arbitrarily-named
interface. In other words, Debian's "resolvconf" explicitly ties
interface naming templates to interface metrics. Openresolv has the
`-m` option for this. Using `-m 0` will give an interface's DNS
servers top priority.

Secondly, and importantly, Debian's "resolvconf" does not support the
`-x` option, which specifies that a DNS servers of an interface should
be the _exclusive_ servers in use. This option is necessary to prevent
leaking DNS queries over another interface. Even with the
aforementioned `-m 0` option, an attacker could DoS the top priority
DNS server in order to leak queries to the second priority DNS server.
Openresolv's `-x` option fixes this, by allowing marking an interface
as having "exclusive" control over DNS.

Therefore, I'd suggest that either:
a) Debian switch to using Openresolv by default instead of its own
"resolvconf". The openresolv package already "Provides: openresolv",
so it should be a drop-in replacement; or
b) Debian's "resolvconf" backport these useful and necessary features
from Openresolv.

Information forwarded to debian-bugs-dist@lists.debian.org, resolvconf maintainers <resolvconf-devel@lists.alioth.debian.org>:
Bug#860564; Package resolvconf. (Tue, 18 Apr 2017 17:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Jason A. Donenfeld" <Jason@zx2c4.com>:
Extra info received and forwarded to list. Copy sent to resolvconf maintainers <resolvconf-devel@lists.alioth.debian.org>. (Tue, 18 Apr 2017 17:57:04 GMT) (full text, mbox, link).

Message #10 received at 860564@bugs.debian.org (full text, mbox, reply):

From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: 860564@bugs.debian.org
Date: Tue, 18 Apr 2017 19:46:16 +0200
Sorry, a small typo:

The openresolv package already "Provides: resolvconf", so it should be
a drop-in replacement.

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jun 27 22:12:06 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.