1486801 – dhcpd/dhclient create an random listening port in addition to UDP 67/68

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1486801 - dhcpd/dhclient create an random listening port in addition to UDP 67/68

Summary: dhcpd/dhclient create an random listening port in addition to UDP 67/68

Keywords:
Status:	CLOSED DUPLICATE of bug 1299562
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	dhcp
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Zhukov
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-30 14:52 UTC by Charlie Brady
Modified:	2017-08-31 05:05 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	962950
Environment:
Last Closed:	2017-08-31 05:05:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	1176046	0	None	None	None	2017-08-30 14:52:54 UTC

Description Charlie Brady 2017-08-30 14:52:54 UTC

+++ This bug was initially created as a clone of Bug #962950 +++

Description of problem:
DHClient creates an additional listening port in addition to UDP 68 which seems to be a random registered port value. This appears to be being caused by the NSUPDATE DNS functionality. Their is currently a bug filed with ISC [ISC-BUGS] #33377.

Version-Release number of selected component (if applicable):
isc-dhclient-4.2.5

How reproducible:
Install dhclient, start the service and perform a netstat -l -u -p and check each of the ports opened by dhclient.
  
Actual results:


Expected results:
That no random port numbers be opened. Please create a way to disable this functionality or repackage an additional version with it disabled.

Additional Info:
http://forums.debian.net/viewtopic.php?f=10&t=95273
http://forums.debian.net/viewtopic.php?f=10&t=95273&p=495605#p495605

--- Additional comment from Jiri Popelka on 2013-05-15 10:29:10 EDT ---

Disabling tracing (--disable-tracing) as suggested on the forum makes no change.
With --disable-failover it fails to build so I can't prove that it really makes the ports disappear, but anyway failover is crucial server functionality and there's no way we can disable it.

--- Additional comment from Jiri Popelka on 2013-05-15 10:36:55 EDT ---

(In reply to comment #1)
> With --disable-failover it fails to build ...

fixed, built with --disable-tracing and --disable-failover but it's still the same.

--- Additional comment from Jiri Popelka on 2013-07-15 09:43:37 EDT ---



--- Additional comment from Harald Reindl on 2013-12-06 08:35:56 EST ---

well, this affects any Fedora version from 18 to 20 and most likely Rawhide too

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|unspecified                 |medium
           Hardware|Unspecified                 |x86_64
            Version|18                          |20
                 OS|Unspecified                 |Linux
           Severity|unspecified                 |medium

--- Additional comment from Jiri Popelka on 2013-12-11 06:35:48 EST ---

These ports are opened during libdns' (library from ISC bind) initialization of some managers and contexts.
Pity the code opens both ipv4 and ipv6 ports - I see this comment in bind/lib/dns/client.c:dns_client_createx()
/* TODO: whether to use dispatch v4 or v6 should be configurable */

This initialization can be avoided by undefining NSUPDATE in dhcp/includes/site.h (as suggested on the debian forum) but we can't do this because we need DDNS functionality for server. I doubt we need it on client so It'd perhaps be nice to turn it off for client, but the code is common (dhcp/omapip/isclib.c) for both client and server so it's not possible to turn it off/on only for one of them.

I don't see a way how to fix this atm.

--- Additional comment from Harald Reindl on 2014-03-05 13:05:32 EST ---

sad to hear that there is no solution

in general i see no valid reason for a *random* port, no sane configured system will allow a incoming package on the one....

--- Additional comment from  on 2014-09-18 17:02:10 EDT ---

Yes this is not sane.  To have dhclient, and rpcbind , etc. open half a dozen other random ports listening on my machine on default install for my home desktop doesn't feel to safe.

I've moved to a debian based distro.

Even if the firewall is blocking incoming, if we don't know why these ports are opened,  how do we know there are not other processes on our machines connecting out on them.   Which could be missed in logs, especially since it seems not enough people care to even question these things.

--- Additional comment from Pavel Šimerda (pavlix) on 2014-09-19 05:37:16 EDT ---

How does Debian solve this issue?

--- Additional comment from  on 2014-09-20 02:50:27 EDT ---

It doesn't solve the issue and I wished there was an edit button to delete that when I said it. I don't think dhclient is a specific distro problem.   going static is only thing that solves the issue for me.

I just noticed alot more services and default ports open on a default fedora compared to when using mint.     But when you disable ipv6,   which I finally figured out only worked from grub menu in fedora for me.   It doesn't feel as bad.

The truth is I only went to mint because for some reaosn the cinnamon mixer worked best with my surround sound system.

--- Additional comment from Fedora End Of Life on 2015-05-29 05:03:44 EDT ---

This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

--- Additional comment from Fedora End Of Life on 2015-06-29 20:38:53 EDT ---

Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

--- Additional comment from Harald Reindl on 2015-06-29 20:45:19 EDT ---

still an issue on F21

--- Additional comment from Dan Berindei on 2016-02-19 11:03:27 EST ---

still an issue on F23

--- Additional comment from Petr Menšík on 2017-04-05 08:54:48 EDT ---

Hi. I have tried to reproduce this on Fedora 25. Ports are still created, but they are created directly by call from libisc.c:235
I think it should be really simple to change use of dhcp_context_create to not create dns client, unless it is used.

Ports are open after end of:

#0  dns_client_createx2 (mctx=0x55926f32b100, actx=0x7f1ddab2b010, 
    taskmgr=0x7f1ddab2c010, socketmgr=0x7f1ddab2d010, timermgr=0x7f1ddab2e010, 
    options=options@entry=0, clientp=0x55926e00e978 <dhcp_gbl_ctx+56>, 
    localaddr4=0x0, localaddr6=0x0) at ../../../lib/dns/client.c:440
#1  0x00007f1dda831c11 in dhcp_context_create (flags=<optimized out>, 
    local4=0x0, local6=0x0) at isclib.c:235
#2  0x000055926ddacb5b in main (argc=<optimized out>, argv=<optimized out>)
    at dhclient.c:273

--- Additional comment from Fedora Update System on 2017-05-25 08:15:39 EDT ---

dhcp-4.3.5-6.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c5082937a8

--- Additional comment from Fedora Update System on 2017-05-25 08:27:01 EDT ---

dhcp-4.3.5-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb7218382

--- Additional comment from Fedora Update System on 2017-05-25 15:22:21 EDT ---

dhcp-4.3.5-6.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c5082937a8

--- Additional comment from Fedora Update System on 2017-05-26 02:03:38 EDT ---

dhcp-4.3.5-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ceb7218382

--- Additional comment from Fedora Update System on 2017-05-26 23:01:58 EDT ---

dhcp-4.3.5-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

--- Additional comment from Fedora Update System on 2017-06-09 15:12:07 EDT ---

dhcp-4.3.5-6.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 2 Charlie Brady 2017-08-30 14:53:53 UTC

[root@sdfdsfd ~]# rpm -q dhclient
dhclient-4.2.5-47.el7.centos.x86_64
[root@sdfdsfd ~]# netstat -anp | grep dhclient
udp        0      0 0.0.0.0:62500           0.0.0.0:*                           8251/dhclient       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           8251/dhclient       
udp6       0      0 :::19356                :::*                                8251/dhclient       
unix  2      [ ]         DGRAM                    261428   8251/dhclient        
[root@sdfdsfd ~]#

Comment 3 Pavel Zhukov 2017-08-30 15:26:39 UTC

(In reply to Charlie Brady from comment #2)
> [root@sdfdsfd ~]# rpm -q dhclient
> dhclient-4.2.5-47.el7.centos.x86_64
This is not a part of Red Hat Enterprise Linux.
Please report the issue to proper (centos) bug tracker:
https://bugs.centos.org/main_page.php

Thank you. Closing.

Comment 4 Charlie Brady 2017-08-30 16:34:25 UTC

(In reply to Pavel Zhukov from comment #3)

> This is not a part of Red Hat Enterprise Linux.

RHEL code is exactly the same. Only branding is different. This is not a branding issue.

> Please report the issue to proper (centos) bug tracker:

Done.

> Resolution: --- → NOTABUG

That strikes me as bizarre. It is a bug alright.

Comment 5 Pavel Zhukov 2017-08-30 16:51:45 UTC

(In reply to Charlie Brady from comment #4)
> (In reply to Pavel Zhukov from comment #3)
> 
> > This is not a part of Red Hat Enterprise Linux.
> 
> RHEL code is exactly the same. Only branding is different. This is not a
> branding issue.
The  code of ISC DHCP server is the same in (almost) all Linux distros as well as in other OSes. It's not the reason to report bug against Red Hat Enteprise Linux. Please respect people's time.
> 
> > Please report the issue to proper (centos) bug tracker:
> 
> Done.
> 
> > Resolution: --- → NOTABUG
> 
> That strikes me as bizarre. It is a bug alright.

Thank you for your time but Red Hat Bugzilla is the Red Hat bug-tracking system and is used to submit and review defects that have been found in Red Hat distributions as main page says. dhclient-4.2.5-47.el7.centos.x86_64
is not part of Red Hat distribution. 

RHEL bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1299562  Feel free to follow it.

Comment 6 Harald Reindl 2017-08-30 17:21:00 UTC Comment hidden (abuse)

with that argumentation giving that 99% of RHEL is code from upstream projects you can close the whole bugtracker - and next time before link to a different bug entry with the words "feel free to follow" better check if anybody outside redhat is allowed to read there or at least don't take "respect others time" not in your mouth

I have reported the same bug YEARS ago on your direct upstream Fedora where it seems to be fixed short ago

If you think that everybody of your users will register on each and every of the thousands of upstream bugtrackers you simply failed the reality check and the same for "but that is a CentOS package" when you have that less plan about your own company which in the meantime owns the CentOS domain and not knowing that CentOS always was a binary replacement bug-by-bug from RHEL

and now you!

Comment 8 Charlie Brady 2017-08-30 19:47:22 UTC

Re-opening.

You can very easily verify that this bug does actually affect RHEL7.3 (and earlier). You are deluding yourself if you think otherwise.

You are doing a disservice to your customers if you ignore this bug simply because you haven't noticed it yet on your systems. 

CentOS bug tracker has, as expected, closed the bug "won't fix", as it must be fixed in RHEL, not in CentOS.


 https://bugs.centos.org/view.php?id=13746

Comment 9 Charlie Brady 2017-08-31 03:04:14 UTC

(In reply to Pavel Zhukov from comment #5)
 
> RHEL bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1299562  Feel
> free to follow it.

Thank you. So this should be closed as a duplicate of that one.

Comment 10 Charlie Brady 2017-08-31 03:15:40 UTC

(In reply to Pavel Zhukov from comment #5)
 
> > RHEL code is exactly the same. Only branding is different. This is not a
> > branding issue.
> The  code of ISC DHCP server is the same in (almost) all Linux distros as
> well as in other OSes.

This is untrue, and also irrelevant.

> It's not the reason to report bug against Red Hat
> Enteprise Linux.

No, but RHEL suffering from the bug would be a good reason.

> Please respect people's time.

I would ask you to do the same thing. 
 
> Please report the issue to proper (centos) bug tracker:

You should be aware that that would be a total waste of everyone's time.

Comment 11 Pavel Zhukov 2017-08-31 05:05:54 UTC


*** This bug has been marked as a duplicate of bug 1299562 ***

Note You need to log in before you can comment on or make changes to this bug.