You are not logged in.
Recently, a CVE request was raised with respect to systemd's caching stub DNS resolver, systemd-resolved.[1]
The CVE was not issued since the relevant RFC (RFC 5452)[2] is ambiguous about whether the full weight of its requirements apply to "stub" resolvers; it was noted that other stub resolvers, such as GNU ADNS, also operated outside RFC5452.[3]
It was, however, noted that the GNU documentation was more explicit about the fact that stub resolvers are "no defence against bad nameservers or fake packets which appear to come from your real nameservers. You MUST use a firewall or other means to block packets which appear to come from these nameservers, but which were actually sent by other, untrusted, entities."
There may be other issues in that systemd-resolved will cache whatever cruft it receives from the nameserver, but that creates a vulnerability to accidents (badly configured nameservers) rather than malice. The issue was raised on the systemd-devel mailing list Monday[4] but no official bug has been filed in the systemd bugzilla.
As far as I can tell, it seems that (a) if you operate behind firewall and (b) believe your nameserver is well configured and won't send you cruft, you should be fine. I did want to see what others think.
[1] http://seclists.org/oss-sec/2014/q4/592
[2] http://www.rfc-base.org/rfc-5452.html
[3] http://seclists.org/oss-sec/2014/q4/595
[4] http://lists.freedesktop.org/archives/s … 25276.html
Offline