Bug 1614331
Summary: | dnsmasq uses lower port (for source port) for it's communications. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Rupesh Patel <rupatel> |
Component: | dnsmasq | Assignee: | Petr Menšík <pemensik> |
Status: | CLOSED ERRATA | QA Contact: | Robin Hack <rhack> |
Severity: | high | Docs Contact: | Marie Hornickova <mdolezel> |
Priority: | medium | ||
Version: | 7.7 | CC: | farandac, fkrska, mdolezel, mikeb, pemensik, rhack, rhowe, stwalter, therfert, thozza |
Target Milestone: | rc | Keywords: | Patch |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | dnsmasq-2.76-8.el7 | Doc Type: | Bug Fix |
Doc Text: |
.`dnsmasq` no longer uses ports lower than 1024 as a source port
Previously, the Domain Name System forwarder (`dnsmasq`) used for queries all ports below 1024. However, Berkeley Internet Name Domain (BIND) drops DNS queries incoming from some of the low ports. Consequently, the target port 464 was ignored by BIND. With this update, `dnsmasq` has been fixed to not use custom random port generator, but it now lets the operating system to assign random ports instead. As a result, `dnsmasq` no longer uses ports lower than 1024 as a source port, which prevents the described problem with BIND.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 13:07:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1630905, 1630913, 1663257 |
Description
Rupesh Patel
2018-08-09 12:23:57 UTC
It seems dnsmasq is using too wide range for outgoing udp ports. Because dnsmasq has privilege to listen on ports below 1024, it does also use these port for queries. Some of low ports are dropped by BIND when they arrive, without ever giving them reply. That ports are: 7, 13, 19 and 37. Target port 464 would be dropped on reply. Commit [1] fixes queries to start at unprivileged ports boundary. I think it should not use custom random port generator but let OS to assign random ports instead. Current released dnsmasq does not allow that. Default range of system is get by sysctl. It might be wise to use range similar to that. $ sysctl net.ipv4.ip_local_port_range net.ipv4.ip_local_port_range = 32768 60999 Current default for min-port is port 0, which includes as port below net.ipv4.ip_unprivileged_port_start. 1. http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=baf553db0cdb50707ddab464fb3eff7786ea576c Posted question to dnsmasq mailing list with proposed patches to use random ports from operating system instead. http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q3/012436.html There is workaround for this issue. Use min-port in configuration with value at least value of net.ipv4.ip_unprivileged_port_start, that is 1024. Just add min-port=1024 into /etc/dnsmasq.conf or any file in /etc/dnsmasq.d/*.conf. *** Bug 1626248 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2231 |