1921153 – failed to send packet: Network is unreachable when resolution is busy.

Bug 1921153 - failed to send packet: Network is unreachable when resolution is busy.

Summary: failed to send packet: Network is unreachable when resolution is busy.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	dnsmasq
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	8.0
Assignee:	Petr Menšík
QA Contact:	Petr Sklenar
Docs Contact:
URL:
Whiteboard:
Depends On:	1917787 1921152
Blocks:
TreeView+	depends on / blocked

Reported:	2021-01-27 15:41 UTC by Petr Menšík
Modified:	2021-11-09 19:30 UTC (History)
CC List:	7 users (show)
Fixed In Version:	dnsmasq-2.79-17.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1921152
Environment:
Last Closed:	2021-11-09 17:37:01 UTC
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4153	0	None	None	None	2021-11-09 17:37:10 UTC

Description Petr Menšík 2021-01-27 15:41:56 UTC

+++ This bug was initially created as a clone of Bug #1921152 +++

Description of problem:
In fix of CVE-2020-25686 was created regression, which applies when multiple address families send request for the same name. In that case, only one family receives responses.

Version-Release number of selected component (if applicable):
dnsmasq-2.83-1.fc33

How reproducible:
100%

Steps to Reproduce:
1. send multiple ipv4 requests for one name
2. send multiple ipv6 requests for the same name
3. both address families join single request

Actual results:
Only half of responses arrives, one address family will not receive

Expected results:
Both address families receive all responses.


Additional info:

Discovered after new upstream release, reported on mailing list[1]. Fixed by release of dnsmasq-2.84

1. https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q1/014613.html

Comment 3 Petr Menšík 2021-01-27 16:03:55 UTC

Possible workaround is reducing priority of one family, for example IPv6. If most clients query using the same family, this error would not be visible. It would show only when both IPv4 and IPv6 is used for the same name.

Comment 4 Petr Menšík 2021-01-27 16:17:43 UTC

Another workaround would be serving each address family from different dnsmasq instance.
dnsmasq --bind-interfaces --listen-address=<local-ipv4-address> ...
dnsmasq --bind-interfaces --listen-address=<local-ipv6-address> ...

Operating multiple instances usually requires more work. Some port redirection might work as well, listening on IPv6 socket and forwarding to ipv4. It would lose source address infromation that way, only localhost would be in logs.

Comment 9 Petr Menšík 2021-03-11 13:52:19 UTC

Fixed by:
http://pkgs.devel.redhat.com/cgit/rpms/dnsmasq/commit/?h=rhel-8.5.0&id=b958ffb06fa88459e28c2c8893ba5f6ece7d04df
http://pkgs.devel.redhat.com/cgit/rpms/dnsmasq/commit/?h=rhel-8.5.0&id=4989893da935bedc06ff14119098e2e01159cd2c

Comment 26 errata-xmlrpc 2021-11-09 17:37:01 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: dnsmasq security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4153

Note You need to log in before you can comment on or make changes to this bug.