summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorMartin Pitt <martin.pitt@ubuntu.com>2016-06-24 07:54:28 +0200
committerGitHub <noreply@github.com>2016-06-24 07:54:28 +0200
commitceeddf79b8464469a5307a1030862c7c4fe289e9 (patch)
tree4ad0a49ca457e8e53789c3aea41c6284ab3ff277 /man
parenta2c28c645160b4e9377db4cb40cb9f22141f2dd3 (diff)
resolved: add option to disable caching (#3592)
In some cases, caching DNS results locally is not desirable, a it makes DNS cache poisoning attacks a tad easier and also allows users on the system to determine whether or not a particular domain got visited by another user. Thus provide a new "Cache" resolved.conf option to disable it.
Diffstat (limited to 'man')
-rw-r--r--man/resolved.conf.xml17
1 files changed, 17 insertions, 0 deletions
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml
index 920ce9e89b..024ad6a9c1 100644
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -202,6 +202,23 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Cache=</varname></term>
+ <listitem><para>Takes a boolean argument. If "yes" (the default),
+ resolving a domain name which already got queried earlier will re-use
+ the previous result as long as that is still valid, and thus does not
+ need to do an actual network request.</para>
+
+ <para>However, local caching slightly increases the chance of a
+ successful DNS poisoning attack, and might also be a privacy problem in
+ some environments: By measuring the time it takes to resolve a
+ particular network name, a user can determine whether any other user on
+ the same machine recently visited that name. If either of these is a
+ concern, you may disable the local caching. Be aware that this comes at
+ a performance cost, which is <emphasis>very</emphasis> high with DNSSEC.
+ </para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>