Comments on: Multiple Vendor DNS Cache Poisoning Vulnerability

By: pfSense Digest » Blog Archive » Test dnsmasq available, fix for potential cache poisoning vulnerability

Thu, 10 Jul 2008 06:36:35 +0000

[...] pfSense Digest News, reviews and more related to the pfSense firewall project « Multiple Vendor DNS Cache Poisoning Vulnerability [...]

By: Chris Buechler

Chris Buechler — Wed, 09 Jul 2008 22:33:45 +0000

Ah, yeah the 1.2.1 and 1.3 upgrade systems are one click. Embedded is another story, that should be changing in 1.3 so it’s a reliable one click as well.

On the topic of this post – it doesn’t appear dnsmasq is vulnerable to this, but given the lack of details the author isn’t sure. There is a slightly improved version available that we will be making available as an update once we can properly test it.

By: Bill McGonigle

Bill McGonigle — Wed, 09 Jul 2008 19:48:06 +0000

I’m not sure we really need a differential update mechanism, per se – I only care about easy updates. Currently, on some of my hardware I have a single flash card on an IDE adapter with pfSense on it, and no room in the box for a second. To do a minor pfSense update I have to backup the config file, pull the thing out of the rack, unscrew the bottom cover, pull the card out, flash the card, put the card back in, put the screws in, rack it, configure a LAN interface, and then restore the config file. This is a minor pain, but creates a good 15 minutes of downtime if I’m fast with the screwdriver. Yeah, I know, CARP a second one in, but still it would be lovely it it were easier.

I recall 1.3 gets us back the online updating mechanism – if that can preserve a config file, whether there’s anything fancier is almost immaterial – I don’t store any data on the box other than what’s in my config.xml. Sure, on a server I need yum, because there’s a heck of a lot of data that can’t get wiped out for a small update and the OS is gigabytes big. But a 40MB download for a pfSense update I can do in a couple clicks? – no problem.

By: Chris Buechler

Chris Buechler — Wed, 09 Jul 2008 07:19:05 +0000

Yeah our current updating methodology does not provide differential updates, once an update is available you will have to use an update file with the entire OS, all applications and all the PHP code even though only dnsmasq will have changed. Technically if everyone was on 1.2 release we wouldn’t have to release everything, just an update with only the dnsmasq fix. But since there are dozens of different versions in use, that isn’t feasible with our existing update system.

I don’t think this will be on the road map for 1.3 because there are so many other great things we’re adding and we only have so much time. This wouldn’t have much of an impact on the user vs. the same amount of time spent on some other functionality that a lot of people can benefit from. Personally, wearing my end user hat, I don’t care if the update is 40 MB or 2 MB. I would much rather that significant amount of time to provide differential updates be spent on improving functionality. It may change at some point in the future but likely not for 1.3.

By: yosama

yosama — Wed, 09 Jul 2008 07:04:28 +0000

would be a great feature addon for 1.3 if you guys could implement a package system for handling security updates, like yum, aptitude, or maybe use pkg_add (which already is in freebsd)

using a package manager we could easily update minor stuff without a full “image” install.