Dnsmasq is a security threat! Unacceptable for I2P users.

Chat about anything related to Linux Mint

Dnsmasq is a security threat! Unacceptable for I2P users.

Postby Black_Sector on Sat Aug 04, 2012 5:12 am

I do not know if this has been covered already, and I also realize it is an upstream issue. However, this needs a solution or else it is going to end up being a deal breaker for everyone who uses I2P and similar software.

The dnsmasq application is already a security threat. It makes you vulnerable to DDOS attacks and to cach exploits, and ultimately makes your entire system vulnerable. That is under the best of conditions when you are running a network or home computer, as opposed to a secured web server.

Dnsmasq listens on your computers local IP address. That was their justification for why it should be safe, since it is 'local'.

The I2P network also runs as 'local'. You type in the IP address for localhost into your proxy address when you want to access eepsites. There is other similar P2P software that also uses 'localhost'.

I first learned about the problem here.
http://ubuntuforums.org/showthread.php?t=1968061

But then when I learned that not only is it written as a dependency for your network manager to run at all now, but there are scripts to RE-WRITE it back in automatically.....Well, this is not acceptable for my purpses. It might have benefits for web servers running VPS, but it negates some of the anonimity of running programs in virtual environments and also leaves us open to exploits when using I2P, which is an important piece of software for people who live in countries that suffer from government censorship.

http://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/



I know this is not Clem' fault but Ubuntu's. Clem has done a great job on his end, but I need a sure-fix solution for this or it will unfortunately be a deal breaker for me.


I figured out how to disable it, but then my gui network manager is buggy or wont show many of my available connections. This is not a good solution but a short term bandaid and an annoyance.

A better workaround would be nice.
Even better would be an update that overwrites these changes, gets rid of those scripts, maybe installs the network manager from Mints repositories after Ubuntu does any updates without dnsmasq as a dependency.


I know for a fact that this makes you vulnerable, because I experienced it first hand :(
Black_Sector
Level 1
Level 1
 
Posts: 2
Joined: Sat Aug 04, 2012 4:56 am

Linux Mint is funded by ads and donations.
 

Re: Dnsmasq is a security threat! Unacceptable for I2P users

Postby xenopeek on Sat Aug 04, 2012 5:52 am

To get some confusion out of the way; dnsmasq does not make you vulnerable to cache exploits. It is run by default in a non-caching mode. I'm not sure why you think it makes you vulnerable to DDOS attacks? NetworkManager runs dnsmasq as follows. Cache size is set to zero, which disables the cache.
Code: Select all
/usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/sendsigs.omit.d/network-manager.dnsmasq.pid --listen-address=127.0.0.1 --conf-file=/var/run/nm-dns-dnsmasq.conf --cache-size=0 --proxy-dnssec

If you want to disable dnsmasq, edit NetworkManager's configuration file:
Code: Select all
sudo nano /etc/NetworkManager/NetworkManager.conf

Find the line:
Code: Select all
dns=dnsmasq

Replace it with:
Code: Select all
#dns=dnsmasq

Save & close the file with Ctrl+O, Enter, Ctrl+X. Then restart NetworkManager:
Code: Select all
sudo restart network-manager

I'm not familiar with anonymizing software, but you can run your own instance of dnsmasq on another address (so not on 127.0.0.1). I've done so as part of my DNSCrypt tutorial, here http://community.linuxmint.com/tutorial/view/996. The purpose of DNSCrypt is not to provide anonymity, but it may be interesting for security conscious users.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14664
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Dnsmasq is a security threat! Unacceptable for I2P users

Postby Black_Sector on Sat Aug 04, 2012 6:04 am

I promise you, the exploits exist. Not everyone is privy to them since they did not come out of the 'white hat' community, but the default settings are a security threat to anyone who who upgrades to 12.04.

I had to run rkhunter and Nmap on my system after an update and found open ports that should not have been open. Somebody was able to reset my computer remotely....which was probably a friendly way of warning me, now that I think about it.

I did not do one single thing that should have made me especially vulnerable to having a backdoor or rootkit installed other than these open ports that showed up after the most recent updates.....interestingly those ports were not open on a fresh install of Linux Mint 13, but showed up after the most recent updates. I add a desktop session from another distro, so my configuration is slightly a-typical, but I am pretty sure it was the update from Ubuntu that did it.


I tried the solution you just posted, and it messes up my router. There are also scripts installed that will re-write it right back when you do certain things, probably upgrades and updates, and I cant be scanning my computer each and every time before I go online.....though maybe I should now.


I need a better solution, and one that deals with those scripts in addition to the network manager file.

In the meantime I am going to try out Sabayon on a different hard drive, see if I can get Cinnamon working. I would be interested in a more permanant solution that wont mess up my network manager gui and functionality.
Black_Sector
Level 1
Level 1
 
Posts: 2
Joined: Sat Aug 04, 2012 4:56 am


Return to Chat about Linux Mint

Who is online

Users browsing this forum: centex and 4 guests