Bug 1614331

Summary: dnsmasq uses lower port (for source port) for it's communications.
Product: Red Hat Enterprise Linux 7 Reporter: Rupesh Patel <rupatel>
Component: dnsmasqAssignee: Petr Menšík <pemensik>
Status: CLOSED ERRATA QA Contact: Robin Hack <rhack>
Severity: high Docs Contact: Marie Hornickova <mdolezel>
Priority: medium    
Version: 7.7CC: farandac, fkrska, mdolezel, mikeb, pemensik, rhack, rhowe, stwalter, therfert, thozza
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: dnsmasq-2.76-8.el7 Doc Type: Bug Fix
Doc Text:
.`dnsmasq` no longer uses ports lower than 1024 as a source port Previously, the Domain Name System forwarder (`dnsmasq`) used for queries all ports below 1024. However, Berkeley Internet Name Domain (BIND) drops DNS queries incoming from some of the low ports. Consequently, the target port 464 was ignored by BIND. With this update, `dnsmasq` has been fixed to not use custom random port generator, but it now lets the operating system to assign random ports instead. As a result, `dnsmasq` no longer uses ports lower than 1024 as a source port, which prevents the described problem with BIND.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 13:07:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1630905, 1630913, 1663257    

Description Rupesh Patel 2018-08-09 12:23:57 UTC 
By default dnsmasq uses lower port (source port) for it's communications. It should use source port above 1024 for security reasons.
Comment 3 Petr Menšík 2018-08-14 09:43:24 UTC 
It seems dnsmasq is using too wide range for outgoing udp ports. Because dnsmasq has privilege to listen on ports below 1024, it does also use these port for queries.

Some of low ports are dropped by BIND when they arrive, without ever giving them reply. That ports are: 7, 13, 19 and 37. Target port 464 would be dropped on reply.

Commit [1] fixes queries to start at unprivileged ports boundary. I think it should not use custom random port generator but let OS to assign random ports instead. Current released dnsmasq does not allow that.

Default range of system is get by sysctl. It might be wise to use range similar to that.

$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768	60999

Current default for min-port is port 0, which includes as port below net.ipv4.ip_unprivileged_port_start.

1. http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=baf553db0cdb50707ddab464fb3eff7786ea576c
Comment 4 Petr Menšík 2018-08-14 10:01:17 UTC 
Posted question to dnsmasq mailing list with proposed patches to use random ports from operating system instead.

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q3/012436.html
Comment 5 Petr Menšík 2018-08-14 10:05:36 UTC 
There is workaround for this issue. Use min-port in configuration with value at least value of net.ipv4.ip_unprivileged_port_start, that is 1024.

Just add min-port=1024 into /etc/dnsmasq.conf or any file in /etc/dnsmasq.d/*.conf.
Comment 6 Stephen Cuppett 2018-10-05 17:12:25 UTC 
*** Bug 1626248 has been marked as a duplicate of this bug. ***
Comment 25 errata-xmlrpc 2019-08-06 13:07:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2231