Dc add dns #3828
Dc add dns #3828
Conversation
kmk3
commented
Dec 15, 2020
kmk3
commented
- disable-common.inc: split bind and knot tools
- disable-common.inc: blacklist missing bind tools
- disable-common.inc: blacklist missing knot tools
- disable-common.inc: blacklist unbound tools
- dnscrypt-proxy.profile: fix section structure
- disable-common.inc: add misc dns tools
|
I'm unsure about the latest commit though; I don't know if these are used |
etc/inc/disable-common.inc
Outdated
| blacklist ${PATH}/nsupdate | ||
| blacklist ${PATH}/rndc | ||
| blacklist ${PATH}/rndc-confgen | ||
| blacklist ${PATH}/tsig-keygen |
There was a problem hiding this comment.
are files like tsig-keygen and nsec3hash (and couple of others mentioned below) really used for communicating with DNS servers?
and are they commonly used? (at least I don't have them installed on my system)
i think the idea of the file is not to blacklist any binary in existence, but the ones commonly installed and where it makes sense to have them blacklisted.
what is your opinion @rusty-snake?
There was a problem hiding this comment.
+blacklist ${PATH}/nsupdate +blacklist ${PATH}/rndc +blacklist ${PATH}/rndc-confgen +blacklist ${PATH}/tsig-keygen
are files like tsig-keygen and nsec3hash (and couple of others mentioned
below) really used for communicating with DNS servers?
Looking at the man pages for tsig-keygen / nsec3hash, they do look safe
indeed. But looking at the one for nsupdate, it is not obvious to me that it
cannot communicate with DNS servers.
Do you know which ones can be safely ignored? Should I try to come up with a
list?
and are they commonly used? (at least I don't have them installed on my
system)
Well, they are part of bind. I didn't have it installed prior to this PR
either. But if there exists a section for DNS tools, then wouldn't leaving it
incomplete give a false sense of security? Alternatively, how about moving the
section to a new disable-dns.inc? I had considered doing the latter, but I
thought that it would be a too invasive change for this PR. I can still do it
if it makes sense.
i think the idea of the file is not to blacklist any binary in existence, but
the ones commonly installed and where it makes sense to have them
blacklisted.
For reference, I just followed what was said on
#3810 (comment):
@glitsj16 commented 5 days ago
Would it be better to check each program or to merely
blacklist all binaries for safety/simplicity?For now it might be a good idea to keep things simple and just add the
suggested binaries to disable-common.inc under the "# prevent DNS malware
attempting to communicate with the server..." section. We can always add
noblacklist ${PATH}/footo relevant profiles later on. At first glance this
shouldn't break anything badly. But I'll do some more extended testing after
the weekend.
I fully agree. There seems to be a bit of a misunderstanding regarding my earlier comment. To be clear, I was only refering to |
Add the missing binaries in the DNS section, as suggested by @glitsj16: netblue30#3810 (comment) Packages and their relevant binaries: * bind: dnssec-* * knot: khost * unbound: unbound-host
Ah, I see now. When I read "the other executables mentioned on that Arch wiki" I have force-pushed adding only these 3 entries. Also, I'm not sure if |
