[Dnsmasq-discuss] DNS query random ports

Discussion:

Petr Menšík

2018-08-10 12:37:32 UTC

Hello,

we discovered our dnsmasq were using also privileged source ports when
sending queries. Interesting enough, it has right to do it, because it
has to listen also on privileged port. It never drops such privilege.

It was fixed in commit [1]. But my question is, why is there even custom
generator or random ports, when OS can do it itself? And usually far
better? So I dug a bit into it and came with patch, that would use
random ports from OS by default.

When I tested it, I got the same results when skipping bind() call on
random ports at all. Is there some reason, why dnsmasq does not follow
OS policy for source outgoing port and choses its own range by itself?

1.
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=baf553db0cdb50707ddab464fb3eff7786ea576c

--
Petr MenÅ¡Ãk
Software Engineer
Red Hat, http://www.redhat.com/
email: ***@redhat.com PGP: 65C6C973

Simon Kelley

2018-08-21 21:24:30 UTC

Permalink

Post by Petr MenÅ¡Ãk
Hello,
we discovered our dnsmasq were using also privileged source ports when
sending queries. Interesting enough, it has right to do it, because it
has to listen also on privileged port. It never drops such privilege.
It was fixed in commit [1]. But my question is, why is there even custom
generator or random ports, when OS can do it itself? And usually far
better? So I dug a bit into it and came with patch, that would use
random ports from OS by default.
When I tested it, I got the same results when skipping bind() call on
random ports at all. Is there some reason, why dnsmasq does not follow
OS policy for source outgoing port and choses its own range by itself?
1.
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=baf553db0cdb50707ddab464fb3eff7786ea576c

The random port code was added to dnsmasq in response to the Kaminsky
Birthday attack paper, which was in 2009. At that point, there were
still people seriously running routers (and therefore dnsmasq) on Linux
2.0 kernels. As best I remember, I did it the way I did because I
couldn't be sure that all the platforms dnsmasq would run on would
allocate sufficiently random ports: RFC6056 was still more than a year
in the future.

I'm sure that code could be simplified now.

Simon.

Petr Mensik

2018-11-07 11:55:13 UTC

Permalink

Hi Simon,

I am sure this is already an old issue. I forgot to mark patch presence
in subject. I proposed a way to fallback to kernel assigned outgoing
ports. Is it unacceptable? Have you even noticed the patches? Could you
check if they could be used?

I think any new deployments of dnsmasq would have working random ports
generation built into kernel. Disadvantage of current code is it does
not follow sysctl net.ipv4.ip_local_port_range configured in kernel.

Cheers,
Petr

Post by Simon Kelley

The random port code was added to dnsmasq in response to the Kaminsky
Birthday attack paper, which was in 2009. At that point, there were
still people seriously running routers (and therefore dnsmasq) on Linux
2.0 kernels. As best I remember, I did it the way I did because I
couldn't be sure that all the platforms dnsmasq would run on would
allocate sufficiently random ports: RFC6056 was still more than a year
in the future.
I'm sure that code could be simplified now.
Simon.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: ***@redhat.com PGP: 65C6C973

Simon Kelley

2018-11-08 20:49:30 UTC

Permalink

Post by Petr Mensik
Hi Simon,
I am sure this is already an old issue. I forgot to mark patch presence
in subject. I proposed a way to fallback to kernel assigned outgoing
ports. Is it unacceptable? Have you even noticed the patches? Could you
check if they could be used?
I think any new deployments of dnsmasq would have working random ports
generation built into kernel. Disadvantage of current code is it does
not follow sysctl net.ipv4.ip_local_port_range configured in kernel.

I thought, though I didn't explicitly say it in my reply, that there
were good reasons, at the time, for doing it the way it's done. Those
reasons don't apply now, but it works, so why change? The
net.ipv4.ip_local_port_range is an additional consideration, I guess
we'd have to deprecate the --min-port and --max-port dnsmasq options.

Cheers,

Simon.

Post by Petr Mensik
Cheers,
Petr

Post by Simon Kelley

The random port code was added to dnsmasq in response to the Kaminsky
Birthday attack paper, which was in 2009. At that point, there were
still people seriously running routers (and therefore dnsmasq) on Linux
2.0 kernels. As best I remember, I did it the way I did because I
couldn't be sure that all the platforms dnsmasq would run on would
allocate sufficiently random ports: RFC6056 was still more than a year
in the future.
I'm sure that code could be simplified now.
Simon.
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss