Dnsmasq is a security threat! Unacceptable for I2P users.
Posted: Sat Aug 04, 2012 5:12 am
I do not know if this has been covered already, and I also realize it is an upstream issue. However, this needs a solution or else it is going to end up being a deal breaker for everyone who uses I2P and similar software.
The dnsmasq application is already a security threat. It makes you vulnerable to DDOS attacks and to cach exploits, and ultimately makes your entire system vulnerable. That is under the best of conditions when you are running a network or home computer, as opposed to a secured web server.
Dnsmasq listens on your computers local IP address. That was their justification for why it should be safe, since it is 'local'.
The I2P network also runs as 'local'. You type in the IP address for localhost into your proxy address when you want to access eepsites. There is other similar P2P software that also uses 'localhost'.
I first learned about the problem here.
http://ubuntuforums.org/showthread.php?t=1968061
But then when I learned that not only is it written as a dependency for your network manager to run at all now, but there are scripts to RE-WRITE it back in automatically.....Well, this is not acceptable for my purpses. It might have benefits for web servers running VPS, but it negates some of the anonimity of running programs in virtual environments and also leaves us open to exploits when using I2P, which is an important piece of software for people who live in countries that suffer from government censorship.
http://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/
I know this is not Clem' fault but Ubuntu's. Clem has done a great job on his end, but I need a sure-fix solution for this or it will unfortunately be a deal breaker for me.
I figured out how to disable it, but then my gui network manager is buggy or wont show many of my available connections. This is not a good solution but a short term bandaid and an annoyance.
A better workaround would be nice.
Even better would be an update that overwrites these changes, gets rid of those scripts, maybe installs the network manager from Mints repositories after Ubuntu does any updates without dnsmasq as a dependency.
I know for a fact that this makes you vulnerable, because I experienced it first hand
The dnsmasq application is already a security threat. It makes you vulnerable to DDOS attacks and to cach exploits, and ultimately makes your entire system vulnerable. That is under the best of conditions when you are running a network or home computer, as opposed to a secured web server.
Dnsmasq listens on your computers local IP address. That was their justification for why it should be safe, since it is 'local'.
The I2P network also runs as 'local'. You type in the IP address for localhost into your proxy address when you want to access eepsites. There is other similar P2P software that also uses 'localhost'.
I first learned about the problem here.
http://ubuntuforums.org/showthread.php?t=1968061
But then when I learned that not only is it written as a dependency for your network manager to run at all now, but there are scripts to RE-WRITE it back in automatically.....Well, this is not acceptable for my purpses. It might have benefits for web servers running VPS, but it negates some of the anonimity of running programs in virtual environments and also leaves us open to exploits when using I2P, which is an important piece of software for people who live in countries that suffer from government censorship.
http://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/
I know this is not Clem' fault but Ubuntu's. Clem has done a great job on his end, but I need a sure-fix solution for this or it will unfortunately be a deal breaker for me.
I figured out how to disable it, but then my gui network manager is buggy or wont show many of my available connections. This is not a good solution but a short term bandaid and an annoyance.
A better workaround would be nice.
Even better would be an update that overwrites these changes, gets rid of those scripts, maybe installs the network manager from Mints repositories after Ubuntu does any updates without dnsmasq as a dependency.
I know for a fact that this makes you vulnerable, because I experienced it first hand