Bug 1614331 - dnsmasq uses lower port (for source port) for it's communications.
Summary: dnsmasq uses lower port (for source port) for it's communications.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dnsmasq
Version: 7.7
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Petr Menšík
QA Contact: Robin Hack
Marie Hornickova
URL:
Whiteboard:
Depends On:
Blocks: 1663257 1630905 1630913
TreeView+ depends on / blocked
 
Reported: 2018-08-09 12:23 UTC by Rupesh Patel
Modified: 2019-08-06 13:08 UTC (History)
10 users (show)

Fixed In Version: dnsmasq-2.76-8.el7
Doc Type: Bug Fix
Doc Text:
.`dnsmasq` no longer uses ports lower than 1024 as a source port Previously, the Domain Name System forwarder (`dnsmasq`) used for queries all ports below 1024. However, Berkeley Internet Name Domain (BIND) drops DNS queries incoming from some of the low ports. Consequently, the target port 464 was ignored by BIND. With this update, `dnsmasq` has been fixed to not use custom random port generator, but it now lets the operating system to assign random ports instead. As a result, `dnsmasq` no longer uses ports lower than 1024 as a source port, which prevents the described problem with BIND.
Clone Of:
Environment:
Last Closed: 2019-08-06 13:07:57 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 3558531 0 None None None 2018-08-09 12:41:12 UTC
Red Hat Knowledge Base (Solution) 3558531 0 None None None 2018-08-17 16:13:10 UTC
Red Hat Product Errata RHBA-2019:2231 0 None None None 2019-08-06 13:08:00 UTC

Description Rupesh Patel 2018-08-09 12:23:57 UTC 
By default dnsmasq uses lower port (source port) for it's communications. It should use source port above 1024 for security reasons.
Comment 3 Petr Menšík 2018-08-14 09:43:24 UTC 
It seems dnsmasq is using too wide range for outgoing udp ports. Because dnsmasq has privilege to listen on ports below 1024, it does also use these port for queries.

Some of low ports are dropped by BIND when they arrive, without ever giving them reply. That ports are: 7, 13, 19 and 37. Target port 464 would be dropped on reply.

Commit [1] fixes queries to start at unprivileged ports boundary. I think it should not use custom random port generator but let OS to assign random ports instead. Current released dnsmasq does not allow that.

Default range of system is get by sysctl. It might be wise to use range similar to that.

$ sysctl net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 32768	60999

Current default for min-port is port 0, which includes as port below net.ipv4.ip_unprivileged_port_start.

1. http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=baf553db0cdb50707ddab464fb3eff7786ea576c
Comment 4 Petr Menšík 2018-08-14 10:01:17 UTC 
Posted question to dnsmasq mailing list with proposed patches to use random ports from operating system instead.

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q3/012436.html
Comment 5 Petr Menšík 2018-08-14 10:05:36 UTC 
There is workaround for this issue. Use min-port in configuration with value at least value of net.ipv4.ip_unprivileged_port_start, that is 1024.

Just add min-port=1024 into /etc/dnsmasq.conf or any file in /etc/dnsmasq.d/*.conf.
Comment 6 Stephen Cuppett 2018-10-05 17:12:25 UTC 
*** Bug 1626248 has been marked as a duplicate of this bug. ***
Comment 25 errata-xmlrpc 2019-08-06 13:07:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2231
Note You need to log in before you can comment on or make changes to this bug.