Hi Simon,

I am sure this is already an old issue. I forgot to mark patch presence
in subject. I proposed a way to fallback to kernel assigned outgoing
ports. Is it unacceptable? Have you even noticed the patches? Could you
check if they could be used?

I think any new deployments of dnsmasq would have working random ports
generation built into kernel. Disadvantage of current code is it does
not follow sysctl net.ipv4.ip_local_port_range configured in kernel.


On 8/21/18 11:24 PM, Simon Kelley wrote:
> On 10/08/18 13:37, Petr Menšík wrote:
>> Hello,
>> we discovered our dnsmasq  were using also privileged source ports when
>> sending queries. Interesting enough, it has right to do it, because it
>> has to listen also on privileged port. It never drops such privilege.
>> It was fixed in commit [1]. But my question is, why is there even custom
>> generator or random ports, when OS can do it itself? And usually far
>> better? So I dug a bit into it and came with patch, that would use
>> random ports from OS by default.
>> When I tested it, I got the same results when skipping bind() call on
>> random ports at all. Is there some reason, why dnsmasq does not follow
>> OS policy for source outgoing port and choses its own range by itself?
>> 1.
>> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=baf553db0cdb50707ddab464fb3eff7786ea576c
> The random port code was added to dnsmasq in response to the Kaminsky
> Birthday attack paper, which was in 2009. At that point, there were
> still people seriously running routers (and therefore dnsmasq) on Linux
> 2.0 kernels. As best I remember, I did it the way I did because I
> couldn't be sure that all the platforms dnsmasq would run on would
> allocate sufficiently random ports: RFC6056 was still more than a year
> in the future.
> I'm sure that code could be simplified now.
> Simon.
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973

Dnsmasq-discuss mailing list

Reply via email to