diff options
author | Martin Pitt <martin.pitt@ubuntu.com> | 2016-06-24 07:54:28 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-06-24 07:54:28 +0200 |
commit | ceeddf79b8464469a5307a1030862c7c4fe289e9 (patch) | |
tree | 4ad0a49ca457e8e53789c3aea41c6284ab3ff277 /man/resolved.conf.xml | |
parent | a2c28c645160b4e9377db4cb40cb9f22141f2dd3 (diff) |
resolved: add option to disable caching (#3592)
In some cases, caching DNS results locally is not desirable, a it makes DNS
cache poisoning attacks a tad easier and also allows users on the system to
determine whether or not a particular domain got visited by another user. Thus
provide a new "Cache" resolved.conf option to disable it.
Diffstat (limited to 'man/resolved.conf.xml')
-rw-r--r-- | man/resolved.conf.xml | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 920ce9e89b..024ad6a9c1 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -202,6 +202,23 @@ </listitem> </varlistentry> + <varlistentry> + <term><varname>Cache=</varname></term> + <listitem><para>Takes a boolean argument. If "yes" (the default), + resolving a domain name which already got queried earlier will re-use + the previous result as long as that is still valid, and thus does not + need to do an actual network request.</para> + + <para>However, local caching slightly increases the chance of a + successful DNS poisoning attack, and might also be a privacy problem in + some environments: By measuring the time it takes to resolve a + particular network name, a user can determine whether any other user on + the same machine recently visited that name. If either of these is a + concern, you may disable the local caching. Be aware that this comes at + a performance cost, which is <emphasis>very</emphasis> high with DNSSEC. + </para></listitem> + </varlistentry> + </variablelist> </refsect1> |