[Resolvconf-devel] Bug#860564: openresolv is less crippled than debian-resolvconf for security-focused configurations

Jason A. Donenfeld Jason at zx2c4.com
Tue Apr 18 17:36:07 UTC 2017

Package: resolvconf

Debian has its own "resolvconf" which is vastly inferior and makes it
impossible to securely set up DNS servers for ephemeral secure tunnel

Specifically, Debian's "resolvconf" relies on a hard coded list of
interface templates. For virtual interfaces or renamed interfaces --
such as those used for creating secure tunnels -- the DNS entries will
be lowest priority. This means it's not possible to override the
current DNS with a DNS bound to particular arbitrarily-named
interface. In other words, Debian's "resolvconf" explicitly ties
interface naming templates to interface metrics. Openresolv has the
`-m` option for this. Using `-m 0` will give an interface's DNS
servers top priority.

Secondly, and importantly, Debian's "resolvconf" does not support the
`-x` option, which specifies that a DNS servers of an interface should
be the _exclusive_ servers in use. This option is necessary to prevent
leaking DNS queries over another interface. Even with the
aforementioned `-m 0` option, an attacker could DoS the top priority
DNS server in order to leak queries to the second priority DNS server.
Openresolv's `-x` option fixes this, by allowing marking an interface
as having "exclusive" control over DNS.

Therefore, I'd suggest that either:
a) Debian switch to using Openresolv by default instead of its own
"resolvconf". The openresolv package already "Provides: openresolv",
so it should be a drop-in replacement; or
b) Debian's "resolvconf" backport these useful and necessary features
from Openresolv.

More information about the Resolvconf-devel mailing list