Google is everywhere and provides free services to everyone. Amongst the huge list of services publicly available, there are the Google DNS, well known as 8.8.8.8, 8.8.4.4 (IPv4) and 2001:4860:4860::8888, 2001:4860:4860::8844 (IPv6). But Google is far from being a non-profit organisation and they collect a lot about you via their DNS[1]. Nothing is free and, when you get something for “free”, you (your data) are the valuable stuff. Never forget this! It is already known that many systems are using the Google DNS as a fallback configuration. Docker is a good example. As written in the documentation[2]:
Yesterday, there was some interesting tweets passing around about the same kind of behaviour but for systemd[3]. "systemd" is the new system introduced in 2012 to replace the good old “init”. It is used to manage processes started at boot time (in userland space). systemd introduced a lot of new features but also was the reason of major flamewars in the Linux community about pros and cons of the new system. In the GitHub repository of systemd, in the configure.ac file, we can read the following block of code[4]: AC_ARG_WITH(dns-servers, AS_HELP_STRING([--with-dns-servers=DNSSERVERS], [space-separated list of default DNS servers]), [DNS_SERVERS="$withval"], [DNS_SERVERS="8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844"]) How to interpret this code? systemd has a built-in fallback mechanism that specifies, at compilation time, that if no resolvers are configured, it uses the Google DNS by default! I performed a quick check on different Linux distributions (installed out-of-the-box):
Some distributions, like Slackware, never implemented systemd. This ‘FallbackDNS’ purpose is defined here[5]
I also found an old report about this in the Debian bug tracker[6]. But the DNS configuration is not the only one to be affected, a list of default NTP servers is also preconfigured at compilation time[7]: AC_ARG_WITH(ntp-servers, AS_HELP_STRING([--with-ntp-servers=NTPSERVERS], [space-separated list of default NTP servers]), [NTP_SERVERS="$withval"], [NTP_SERVERS="time1.google.com time2.google.com time3.google.com time4.google.com"]) Ok, nothing really critical here. Based on the tested distributions, there is almost no risk to see systemd falling back to the Google DNS. However, this is a good signal to keep in mind that some developers might introduce dangerous features and/or configurations in their code. Grepping for static IP addresses in configuration files is always a good reflex. About the DNS, my recommendation is to restrict the DNS traffic on your network and run your own resolver. [1] https://developers.google.com/speed/public-dns/privacy Xavier Mertens (@xme) |
Xme 687 Posts ISC Handler Jun 14th 2017 |
||||||||||||||||||||||
Thread locked Subscribe |
Jun 14th 2017 4 years ago |
||||||||||||||||||||||
This is definitely present on Ubuntu 17.04 (zesty zapus); it uses the same location as the other systemd-based distros: /etc/systemd/resolved.conf.
|
Paul 4 Posts |
||||||||||||||||||||||
Quote |
Jun 15th 2017 4 years ago |
||||||||||||||||||||||
We might want to reconsider if free software is always developed in good faith, or if the developers would compromise in some areas of privacy/security that you wouldn't be happy with for your own use case. We're slowly learning how to defend in-depth against possibly-backdoored hardware like Intel ME and black-box HWRNGs. So we can apply the same principles like sandboxing to software to make it easier to trust.
For this specific example, a blackhole route to 8.8.4.4 etc. would have been sufficient. With iptables you could block all outgoing DNS queries except to a whitelist of destinations. Or, filter outgoing network traffic per-uid using the "-m owner" match, and either LOG or DROP everything else. I particularly like where OpenBSD is going with pledge(), which is even able to restrict ability of daemons to do things like file I/O. Maybe systemd is such a large beast that something like it couldn't be implemented there, and if that's the case I would suggest to simply steer clear of it. |
Steven C. 171 Posts |
||||||||||||||||||||||
Quote |
Jun 16th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!