Discussion:
[Dnsmasq-discuss] No more random source port
Risto Suominen
2017-03-20 17:33:01 UTC
Permalink
Hi,

I'm running Lubuntu 16.04 with dnsmasq 2.75-1ubuntu0.16.04.1 under
NetworkManager's control.

When forwarding DNS requests, dnsmasq uses same source port (per
interface) every time.

Compared to Ubuntu 14.04 with dnsmasq 2.68-1ubuntu0.1, which used
different ports.

The command line options for dnsmasq have not changed between these
versions, and there is no config file either.

So, I wonder, is there some change in dnsmasq itself that could
explain this behaviour change?

My problem is that my 4G router (TP-Link TL-MR6400) won't answer to
the requests coming from same port.

Risto
Albert ARIBAUD
2017-03-20 18:30:12 UTC
Permalink
Hi Risto,

Le Mon, 20 Mar 2017 19:33:01 +0200
Post by Risto Suominen
Hi,
I'm running Lubuntu 16.04 with dnsmasq 2.75-1ubuntu0.16.04.1 under
NetworkManager's control.
When forwarding DNS requests, dnsmasq uses same source port (per
interface) every time.
Compared to Ubuntu 14.04 with dnsmasq 2.68-1ubuntu0.1, which used
different ports.
The command line options for dnsmasq have not changed between these
versions, and there is no config file either.
So, I wonder, is there some change in dnsmasq itself that could
explain this behaviour change?
I don't kow about dnsmasq per se, but the range of ports an application
can use is controlled by the kernel -- on my 16.04 Xubuntu, that is
defined by /proc/sys/net/ipv4/ip_local_port_range. Does your system
limit this range?
Post by Risto Suominen
My problem is that my 4G router (TP-Link TL-MR6400) won't answer to
the requests coming from same port.
Not sure what you mean exactly. "Same port" as what?
Post by Risto Suominen
Risto
Amicalement,
--
Albert.
Albert ARIBAUD
2017-03-20 19:05:40 UTC
Permalink
Bonjour,

Le Mon, 20 Mar 2017 20:54:51 +0200
Hi Albert,
Post by Albert ARIBAUD
I don't kow about dnsmasq per se, but the range of ports an
application can use is controlled by the kernel -- on my 16.04
Xubuntu, that is defined by /proc/sys/net/ipv4/ip_local_port_range.
Does your system limit this range?
32768 60999
Post by Albert ARIBAUD
Not sure what you mean exactly. "Same port" as what?
Same as in previous request. The router is another forwarder for the
DNS requests (dnsmasq is the first).
(I don't see the point of this restruction but hey, that's TP-Link's
choice.)
- $ host xxx 127.0.1.1 -> no response (via dnsmasq to router)
- $ host xxx 192.168.1.1 -> response (directly to router)
The difference is that 'host' uses varying random source ports, and
'dnsmasq' uses one preallocated random source port.
Ok, so the OS is not limiting the ports per se.

You said the command line did not change. Which is it exactly? I
usually do a "cat /proc/<pid-of-dnsmasq>/cmdline | tr '\0' '\n' to make
sure I see the real command line of the running dnsmasq.
Risto
Amicalement,
--
Albert.
Risto Suominen
2017-03-20 19:22:55 UTC
Permalink
Post by Albert ARIBAUD
(I don't see the point of this restruction but hey, that's TP-Link's
choice.)
I might use the word 'bug' instead of 'choice'.
Post by Albert ARIBAUD
Ok, so the OS is not limiting the ports per se.
You said the command line did not change. Which is it exactly? I
usually do a "cat /proc/<pid-of-dnsmasq>/cmdline | tr '\0' '\n' to make
sure I see the real command line of the running dnsmasq.
/usr/sbin/dnsmasq
--no-resolv
--keep-in-foreground
--no-hosts
--bind-interfaces
--pid-file=/var/run/NetworkManager/dnsmasq.pid
--listen-address=127.0.1.1
--cache-size=0
--conf-file=/dev/null
--proxy-dnssec
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq
--conf-dir=/etc/NetworkManager/dnsmasq.d

Risto
Albert ARIBAUD
2017-03-20 20:18:17 UTC
Permalink
Hi Risto,

Le Mon, 20 Mar 2017 21:22:55 +0200
Post by Risto Suominen
Post by Albert ARIBAUD
(I don't see the point of this restruction but hey, that's TP-Link's
choice.)
I might use the word 'bug' instead of 'choice'.
Post by Albert ARIBAUD
Ok, so the OS is not limiting the ports per se.
You said the command line did not change. Which is it exactly? I
usually do a "cat /proc/<pid-of-dnsmasq>/cmdline | tr '\0' '\n' to
make sure I see the real command line of the running dnsmasq.
/usr/sbin/dnsmasq
--no-resolv
--keep-in-foreground
--no-hosts
--bind-interfaces
--pid-file=/var/run/NetworkManager/dnsmasq.pid
--listen-address=127.0.1.1
--cache-size=0
--conf-file=/dev/null
--proxy-dnssec
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq
--conf-dir=/etc/NetworkManager/dnsmasq.d
Risto
Ok, so exactly the same options as I have on my Xubuntu, and my local
dnsmasq is 2.75 too, and it uses random ports.

So, back to the basics: let's start with a capture of DNS traffic. Can
you run wireshark or tcpdump on your Lubuntu and capture a few requests
for resolution?

Amicalement,
--
Albert.
Risto Suominen
2017-03-20 21:01:36 UTC
Permalink
Hi Albert,

Thanks for your help so far.
Post by Albert ARIBAUD
So, back to the basics: let's start with a capture of DNS traffic. Can
you run wireshark or tcpdump on your Lubuntu and capture a few requests
for resolution?
Attached a small pcap. What I did:
1) 'host google.com'
2) 'host google.fi'
3) 'host google.com 192.168.1.1'
4) 'host google.fi 192.168.1.1'

1) and 2) go through dnsmasq, and use same source port.

In this case I get an answer: this is a different router, a Zyxel.
I'll try to make this same test against TP-Link..

Risto
Risto Suominen
2017-03-20 21:08:13 UTC
Permalink
Ok, no pcap attachments, here is a link, I hope it gets through:

https://www.dropbox.com/s/3nfx2kr2kxsw0ud/dns-01.pcap?dl=1

Risto
Risto Suominen
2017-03-20 21:27:07 UTC
Permalink
This is the pcap against TP-link:

https://www.dropbox.com/s/c1edxlpmar8euvi/dns-02.pcap?dl=1

This time I only did:

1) 'host google.com 192.168.1.1'
2) 'host google.fi 192.168.1.1'

The rest of the requests came through dnsmasq, and received no answer.
They are repeated forever.

Risto
Albert ARIBAUD
2017-03-20 22:03:34 UTC
Permalink
Hi again Risto,

Le Mon, 20 Mar 2017 23:27:07 +0200
Post by Risto Suominen
https://www.dropbox.com/s/c1edxlpmar8euvi/dns-02.pcap?dl=1
1) 'host google.com 192.168.1.1'
2) 'host google.fi 192.168.1.1'
The rest of the requests came through dnsmasq, and received no answer.
They are repeated forever.
Source IP is not the same in both pcaps. 1st pcap queries 8.8.8.8 and
192.168.1.1 from 192.168.1.33, while 2nd pcap queries are from
192.168.1.100. Can you clarify your network setup?
Post by Risto Suominen
Risto
Amicalement,
--
Albert.
Risto Suominen
2017-03-21 06:48:56 UTC
Permalink
Hi Albert,
Post by Albert ARIBAUD
Source IP is not the same in both pcaps. 1st pcap queries 8.8.8.8 and
192.168.1.1 from 192.168.1.33, while 2nd pcap queries are from
192.168.1.100. Can you clarify your network setup?
IP is differerent, but MAC is the same. I'm currently using Zyxel
router (pcap 1), because it's working. With TP-Link router (pcap 2) I
don't reach the Internet, because of the DNS problem.

So, I simply plugged my computer to different routers. In both cases
the router's DHCP server gave me IP and DNS addresses, Zyxel:
192.168.1.33 and 8.8.8.8 (its own address is 192.168.1.1). TP-Link:
192.168.1.100 and 192.168.1.1 (its own address).

Possibly the problem with TP-Link depends on this behaviour
(forwarding DNS requests). (NAT routers typically allocate random
ports internally for forwarded requests.)

I might change Zyxel's setup so that it gives me its own address as
DNS, to see how it behaves in that situation. In TP-Link I have not
found a way to do the opposite.

Risto
Risto Suominen
2017-03-21 12:30:28 UTC
Permalink
Zyxel doesn't have a problem with same source port:

https://www.dropbox.com/s/wxdl480hwr39j12/dns-03.pcap?dl=1

Same commands as in pcap-01.

Risto
Albert ARIBAUD
2017-03-21 20:47:40 UTC
Permalink
Bonjour,

Le Tue, 21 Mar 2017 14:30:28 +0200
Post by Risto Suominen
https://www.dropbox.com/s/wxdl480hwr39j12/dns-03.pcap?dl=1
Same commands as in pcap-01.
Risto
I can't see why your dnsmasq would only use one port. This would be the
behavior for -Q0 (or -Q45807, but your dnsmasq does not have this option
in its command line.

Did you check apparmor or SELinux?

Amicalement,
--
Albert.
Risto Suominen
2017-03-22 16:30:56 UTC
Permalink
Hi Albert,
Post by Albert ARIBAUD
I can't see why your dnsmasq would only use one port. This would be the
behavior for -Q0 (or -Q45807, but your dnsmasq does not have this option
in its command line.
I took in the source package and added some log entries (from syslog):

Mar 20 22:11:59 risto-Macmini dnsmasq[30248]: main: port=53
Mar 20 22:11:59 risto-Macmini dnsmasq[30248]: pre_allocate_sfds: query_port=0
Mar 20 22:11:59 risto-Macmini dnsmasq[30248]: started, version 2.75
cache disabled
Mar 20 22:11:59 risto-Macmini dnsmasq[30248]: compile time options:
IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset
auth DNSSEC loop-detect inotify
Mar 20 22:11:59 risto-Macmini dnsmasq[30248]: DBus support enabled:
connected to system bus
Mar 20 22:11:59 risto-Macmini dnsmasq[30248]: warning: no upstream
servers configured
Mar 20 22:12:00 risto-Macmini dnsmasq[30248]: setting upstream servers from DBus
Mar 20 22:12:00 risto-Macmini dnsmasq[30248]: check_servers: flags=90
Mar 20 22:12:00 risto-Macmini dnsmasq[30248]: check_servers: sfd=(nil) (before)
Mar 20 22:12:00 risto-Macmini dnsmasq[30248]: check_servers:
sfd=0x555fbb7955a0 (after)
Mar 20 22:12:00 risto-Macmini dnsmasq[30248]: using nameserver
8.8.8.8#53(via eth0)

This shows that the 'sfd' is allocated in function 'check_servers' (in
file 'network.c'). This file descriptor is used later to send the
forwarded queries. It can be seen in 'netstat -ln --inet':

udp 0 0 0.0.0.0:45807 0.0.0.0:*
Post by Albert ARIBAUD
Did you check apparmor or SELinux?
No. How should I do that?

Risto
Simon Kelley
2017-03-22 22:04:22 UTC
Permalink
Post by Risto Suominen
Mar 20 22:12:00 risto-Macmini dnsmasq[30248]: using nameserver
8.8.8.8#53(via eth0)
This indicates that dnsmasq has been configured to force the packets to
the upstream server via eth0. To do that requires an operation on the
socket which can only be done as root, so the socket has to be
pre-allocated and there's no random source port.

It looks like dnsmasq is being configured by networkmanager via the
DBus, and I guess it's that which is doing the configuration of the
upstream server.


Cheers,

Simon.
Risto Suominen
2017-03-23 16:40:10 UTC
Permalink
Hi Simon,
Post by Simon Kelley
This indicates that dnsmasq has been configured to force the packets to
the upstream server via eth0. To do that requires an operation on the
socket which can only be done as root, so the socket has to be
pre-allocated and there's no random source port.
From the comments in the source code I got the impression that root
priviledges are held in pre_allocate_sfds(), but not in
check_servers(). The latter is where the socket is allocated.
Post by Simon Kelley
It looks like dnsmasq is being configured by networkmanager via the
DBus, and I guess it's that which is doing the configuration of the
upstream server.
Yes. And this same seems to happen in at least Lubuntu 14.04 with
dnsmasq 2.68 (now 16.04/2.75). But it uses random ports. So, something
has changed, if not in dnsmasq, then possibly in NetworkManager.

Risto

/dev/rob0
2017-03-21 14:23:51 UTC
Permalink
Post by Risto Suominen
Post by Albert ARIBAUD
You said the command line did not change. Which is it exactly? I
usually do a "cat /proc/<pid-of-dnsmasq>/cmdline | tr '\0' '\n'
to make sure I see the real command line of the running dnsmasq.
/usr/sbin/dnsmasq
--no-resolv
--keep-in-foreground
--no-hosts
--bind-interfaces
--pid-file=/var/run/NetworkManager/dnsmasq.pid
--listen-address=127.0.1.1
--cache-size=0
--conf-file=/dev/null
--proxy-dnssec
--enable-dbus=org.freedesktop.NetworkManager.dnsmasq
--conf-dir=/etc/NetworkManager/dnsmasq.d
Did you ever show us the contents of this --conf-dir? It could have
a file with "query-port".
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Risto Suominen
2017-03-21 14:39:17 UTC
Permalink
Hi,
Post by /dev/rob0
Did you ever show us the contents of this --conf-dir? It could have
a file with "query-port".
--
Good point. I forgot. I did check it, though, and the directory was empty.

Risto
Continue reading on narkive:
Loading...