Page MenuHomePhabricator

Disable systemd DNS resolver feature
Closed, ResolvedPublic

Description

Systemd just gained DNS resolution as a feature. This should be disabled because of potentially negative consequences for anonymity and to reduce attack surface.

https://lists.freedesktop.org/archives/systemd-devel/2016-February/035748.html

Details

Impact
Normal

Event Timeline

This can probably be implemented by adding a systemd override for systemd-resolved.service.

To check:

sudo systemctl status systemd-resolved.service
Patrick changed the task status from Open to Review.Feb 5 2017, 9:16 PM

Done.

I've spent a lot thought on the migration. For new Whonix 14 images, systemd-resolved will never start.

When upgrading Whonix 13 to Whonix 14,

  • using https://www.whonix.org/wiki/Upgrading_Whonix_13_to_Whonix_14 - it will not start (since using apt-get-noninteractive that prevents daemon restarts and after reboot the systemd drop-in to prevent its startup will be in place)
  • when not using apt-get-noninteractive, systemd-resolved would start and keep running until the next reboot
    • there won't be an auto upgrade from Whonix 13 to Whonix 14 since the user has to manually change from jessie to stretch Debian and Whonix repository, so the risk for this to accidentally happen should be low
    • otherwise preventing this would be cumbersome and require a lot more code (inventing a postinst running systemd daemon-reload and whatnot)

This isn't a ticket for general question systemd yes vs no. If you like to raise this, please move it to the forums or so.

anonymous1 added a comment.EditedFeb 7 2017, 6:31 PM

It was just to remind that this "feature" is just the tip of an iceberg that keeps getting bigger over time. If you see it feasible and preferable to move away from systemd I would expect you to start the ticket/discussion

Patrick closed this task as Resolved.Mar 7 2018, 1:06 AM
Patrick claimed this task.