From 5bd7342617d2f351136aff349e8fb066035353c8 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 22 Jul 2016 20:17:23 +0200 Subject: man: rework resolved.conf's Cache= documentation Let's not mention the supposed security benefit of turning off caching. It is really questionnable, and I#d rather not create the impression that we actually believed turning off caching would be a good idea. Instead, mention that Cache=no is implicit if a DNS server on the local host is used. --- man/resolved.conf.xml | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml index 024ad6a9c1..7556c6ff31 100644 --- a/man/resolved.conf.xml +++ b/man/resolved.conf.xml @@ -204,19 +204,13 @@ Cache= - Takes a boolean argument. If "yes" (the default), - resolving a domain name which already got queried earlier will re-use - the previous result as long as that is still valid, and thus does not - need to do an actual network request. - - However, local caching slightly increases the chance of a - successful DNS poisoning attack, and might also be a privacy problem in - some environments: By measuring the time it takes to resolve a - particular network name, a user can determine whether any other user on - the same machine recently visited that name. If either of these is a - concern, you may disable the local caching. Be aware that this comes at - a performance cost, which is very high with DNSSEC. - + Takes a boolean argument. If "yes" (the default), resolving a domain name which already got + queried earlier will return the previous result as long as it is still valid, and thus does not result in a new + network request. Be aware that that turning off caching comes at a performance penalty, which is particularly + high when DNSSEC is used. + + Note that caching is turned off implicitly if the configured DNS server is on a host-local IP address + (such as 127.0.0.1 or ::1), in order to avoid duplicate local caching. -- cgit v1.2.3-54-g00ecf