systemd-resolved: please do not use Google public DNS by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
systemd |
New
|
Undecided
|
Unassigned | ||
systemd (Debian) |
Fix Released
|
Unknown
|
|||
systemd (Ubuntu) |
Fix Released
|
Low
|
Dimitri John Ledkov | ||
Zesty |
Fix Released
|
Low
|
Unassigned | ||
Artful |
Fix Released
|
Low
|
Dimitri John Ledkov |
Bug Description
[Impact]
systemd-resolved will fall back to Google public DNS (8.8.8.8, etc.) in the absence of other configured DNS servers.
systemd-resolved is not enabled by default in Ubuntu 15.04, but it is installed by default and will behave in this way if enabled by the user.
$ cat /etc/systemd/
(...)
# Entries in this file show the compile time defaults.
(...)
#FallbackDNS=
This raises privacy concerns since in the event of accidental misconfiguration DNS queries will be sent unencrypted across the internet, and potentially also security concerns given systemd-resolved does not perform DNSSEC validation and is not particularly well hardened against malicious responses e.g. from a MITM (http://
I believe that it would be better to fail safe if no DNS server is configured -- i.e. have DNS lookups fail; it's better that the user is aware of their misconfiguration, rather than silently sending their queries to Google. The user can intentionally opt to use Google public DNS if they wish.
[Testcase]
Steps to reproduce:
1. Remove existing DNS configuration (from /etc/network/
2. Reboot, or otherwise clear relevant state
3. sudo service systemd-resolved start
4. Note that Google's servers are listed in /run/systemd/
5. If systemd-resolved is enabled in /etc/nsswitch.conf (it isn't by default), observe that DNS lookups probably still work, and queries are being sent to one of Google's servers
Possible workaround/bugfix: ship a resolved.conf which clears the FallbackDNS parameter.
[Solution]
In ubuntu, we disable fallback DNS at build time, via build system configuration flags.
This issue has been discussed in the Debian BTS (https:/
[Regression Potential]
Missconfigured networks, that do not have a DNS server would previously magically work due to having Google DNS preconfigured regardless. With this change, such network configurations will fail to work, and one will have to properly fix network config to point at the right/existing name server.
CVE References
Changed in systemd (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in systemd: | |
status: | Unknown → Fix Released |
tags: | added: resolved |
tags: | added: rls-aa-incoming |
Changed in systemd (Ubuntu Artful): | |
assignee: | nobody → Dimitri John Ledkov (xnox) |
milestone: | none → ubuntu-17.06 |
Changed in systemd (Ubuntu Artful): | |
status: | Triaged → Fix Committed |
Changed in systemd: | |
importance: | Unknown → Undecided |
status: | Fix Released → New |
tags: | removed: rls-aa-incoming |
Changed in systemd (Debian): | |
status: | Unknown → Fix Released |
no longer affects: | systemd (Ubuntu Yakkety) |
Changed in systemd (Ubuntu Zesty): | |
status: | Confirmed → In Progress |
description: | updated |
description: | updated |
Changed in systemd (Ubuntu Zesty): | |
importance: | Undecided → Low |
The 8.8.8.8 fallback is not only used on misconfigured systems! It’s also used for a short period while initially connecting or reconnecting to totally healthy networks with DHCP. So the excuse that privacy-conscious users should just use DHCP holds no water.
https:/ /github. com/systemd/ systemd/ issues/ 4175#issuecomme nt-252571482