Change default dnsmasq flags to not include --strict-order and disable caching

This bug was fixed in the package network-manager - 0.9.2.0+git201112151936.6b31828-0ubuntu2

---------------
network-manager (0.9.2.0+git201112151936.6b31828-0ubuntu2) precise; urgency=low

  * debian/control: libnm-glib-vpn1 Breaks/Replaces libnm-glib2, to ease with
    upgrades from Lucid. (LP: #900509)
  * debian/rules: re-update the daily builds special case, we don't want to
    fail daily builds for new added symbols.
  * debian/patches/nm-change-dnsmasq-parameters.patch: change dnsmasq's params
    when it's started by NM to disable caching and not pass --strict-order.
    Thanks to Stéphane Graber for the patch. (LP: #903854)
 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 09 Jan 2012 14:07:45 +0100

Hi guys,

I'm sorry but I'm one of the people that want caching and don't want to wait for the 12.10 :-D

Instead of disabling it by code, could this be made configurable with caching disabled by default to still honor this bug report ?

I'd enjoy me some caching, too!

From the discussion [1] leading to the changes in this bug report, there are a couple of statements which aren't so robust:

1. "will greatly improve the reliability of DNS resolution on our desktop systems"
 > the reliability only increases if dnsmasq were vulnerable and an exploit was being exercised

2. "at the cost of a slightly higher DNS traffic to the upstream DNS servers"
 > I measure a O(1000%) increase of DNS traffic in general desktop use (browsing, email, IM), due to applications frequently re-evaluating DNS queries. What basis is "slightly" arrived at?

3. "the ... resolver must maintain a separate cache per user, to prevent privacy issues, and to prevent local users from spying on source ports and trivially performing a birthday attack in order to poison the cache for other users"
 > by what mechanism is privacy compromised for non-root users?
 > how and where is the detriment in local users "spying on source ports" if dnsmasq has the Rainbow attack mitigation?
 > how is a Birthday attack plausible when the known weaknesses exposing this were closed in 2008 [2]?
 > presenting the ultimate solution as needing per-user caching is missing the point, when the underlying issues need addressing

As it stands, dnsmasq is not vulnerable to Rainbow attacks after port randomisation was introduced, and there have been further hardening measures taken since; these changes remain Ubuntu-specific because the logic is incomplete.

[1] https://blueprints.launchpad.net/ubuntu/+spec/foundations-p-dns-resolving
[2] http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2008q3/002148.html

> I'd enjoy me some caching, too!

In 12.10 you can run the standalone dnsmasq (with caching enabled, listening at 127.0.0.1) in series with the NetworkManager-controlled dnsmasq (with caching disabled, listening at 127.0.1.1).

The change suggested in this report was in fact implemented for 12.04 but it gave rise to bug #1003842.

Thus for the sake of performance improvements under unusual circumstances, some users experience inability to resolve private domain names under circumstances that are not uncommon.

My personal opinion is, therefore, that the change made here should be reverted until such time as a better solution is found for bug #1003842. But we can continue the discussion in #1003842.