On Wed, 29.02.12 18:27, Simo Sorce (simo@xxxxxxxxxx) wrote: > On Thu, 2012-03-01 at 00:17 +0100, Lennart Poettering wrote: > > On Wed, 29.02.12 17:51, Simo Sorce (simo@xxxxxxxxxx) wrote: > > > > > On Wed, 2012-02-29 at 10:09 -0700, Chris Murphy wrote: > > > > On Feb 29, 2012, at 5:15 AM, drago01 wrote: > > > > > > > > > On Wed, Feb 29, 2012 at 1:02 PM, Neal Becker <ndbecker2@xxxxxxxxx> wrote: > > > > >> I think he's got a point > > > > >> > > > > >> http://www.osnews.com/story/25659/Torvalds_requiring_root_password_for_mundane_things_is_quot_moronic_quot_ > > > > > > > > > > > > > My example is mDNS being blocked in the Firewall by default *and* it requires a root password to unblocked it. Completely retarded. > > > > > > Except that mDNS is a real security issue (because you can hijack name > > > resolution quite easily with it). > > > > Can you? How so? > > > > Sure, you can muck with the .local domain, since that's the mDNS domain, > > but hey, if you are stupid enough to trust the .local domain in insecure > > networks, then it is your own fault, as the suffix ".local" kinda comes > > with this big implied label of "HEY! THIS DOMAIN IS RESOLVED FROM DATA > > MULTICASTED ON THE LOCAL LINK". > > Yeah unfortunately there are a ton of sites that use the .local suffix > for their local domain for example. Some predate mDNS hijacking of it > for 'untrusted local stuff'. Well, I don't consider this really that much of a *security* issue. Unicast DNS domains called ".local" are made entirely unavailable if mDNS is used, which is the default on MacOS and Linux. I am sure there are still setups which use .local in unicast domains, but things are not really primarily insecure for them, but they are *entirely broken* for them. That's a completely different quality. > Also you should really define 'You' here. Because the issue is that mDNS > in Fedora is inserted by default in the hosts database and IIRC before > DNS, so it get a chance to always reply before a DNS query is made. This > of course makes sense for its uses, why ask the DNS if you know this is > a .local name that the DNS should not know about ? The NSS module is authoritative for .local and .local only. It will not respond for host lookups outside this domains, and hence cannot be used to muck around with anything outside the mDNS domain .local. You cannot override normal unicast host names via multicast. Lennart -- Lennart Poettering - Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
