[Dnsmasq-discuss] don't empty cache
richardvoigt at gmail.com
richardvoigt at gmail.com
Tue Jun 23 17:11:25 BST 2009
On Tue, Jun 23, 2009 at 3:34 AM, Matthias Andree <matthias.andree at gmx.de>wrote:
> Am 23.06.2009, 01:17 Uhr, schrieb Brad Morgan <b-morgan at concentric.net>:
>
> >> dnsmasq emty his cache after restart, how to prevent it?
> >
> > Isn't the right answer to get dnsmasq off of a machine that isn't
> > stable? I have dnsmasq running on a Redhat 9 Linux machine that also
> > serves as my
> > firewall. There are no kernel updates to worry about and the system just
> > runs and runs and runs with uptimes measured in multiple months.
>
> That's something to _STRONGLY_ discourage. Kernel updates aren't required
> that often (if you feel they are, run one of the BSDs), and they aren't
> the cause for the original posting/pain anyways.
>
> Running firewalls on outdated kernels is as dangerous as it can get - some
> code injection might disable your firewall and then expose your whole LAN.
Note of course that prevention of code injection is not the kernel's role.
Limiting the damage is, a code injection attack against a user-mode process
is far more likely to achieve a successful jailbreak on an unpatched kernel,
but the user-mode process can and should be updated with no need for a
kernel-stopping reboot. And the most up-to-date kernel is completely
powerless to protect a system whose network facing services aren't properly
restricted via user account and capabilities. Kernel updates are important,
but they aren't a panacea
A buffer overflow in a kernel module processing incoming network data is a
different story of course, but this is a very slim attack surface,
especially on a well-configured firewall (e.g. no khttpd, knfsd, etc).
>
>
> --
> Matthias Andree
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20090623/c4106e1e/attachment.htm
More information about the Dnsmasq-discuss
mailing list