On 07/11/2018 11:55, Petr Mensik wrote:
> Hi Simon,
> I am sure this is already an old issue. I forgot to mark patch presence
> in subject. I proposed a way to fallback to kernel assigned outgoing
> ports. Is it unacceptable? Have you even noticed the patches? Could you
> check if they could be used?
> I think any new deployments of dnsmasq would have working random ports
> generation built into kernel. Disadvantage of current code is it does
> not follow sysctl net.ipv4.ip_local_port_range configured in kernel.

I thought, though I didn't explicitly say it in my reply, that there
were good reasons, at the time, for doing it the way it's done. Those
reasons don't apply now, but it works, so why change? The
net.ipv4.ip_local_port_range is an additional consideration, I guess
we'd have to deprecate the --min-port and --max-port dnsmasq options.



> Cheers,
> Petr
> On 8/21/18 11:24 PM, Simon Kelley wrote:
>> On 10/08/18 13:37, Petr Menšík wrote:
>>> Hello,
>>> we discovered our dnsmasq  were using also privileged source ports when
>>> sending queries. Interesting enough, it has right to do it, because it
>>> has to listen also on privileged port. It never drops such privilege.
>>> It was fixed in commit [1]. But my question is, why is there even custom
>>> generator or random ports, when OS can do it itself? And usually far
>>> better? So I dug a bit into it and came with patch, that would use
>>> random ports from OS by default.
>>> When I tested it, I got the same results when skipping bind() call on
>>> random ports at all. Is there some reason, why dnsmasq does not follow
>>> OS policy for source outgoing port and choses its own range by itself?
>>> 1.
>>> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=baf553db0cdb50707ddab464fb3eff7786ea576c
>> The random port code was added to dnsmasq in response to the Kaminsky
>> Birthday attack paper, which was in 2009. At that point, there were
>> still people seriously running routers (and therefore dnsmasq) on Linux
>> 2.0 kernels. As best I remember, I did it the way I did because I
>> couldn't be sure that all the platforms dnsmasq would run on would
>> allocate sufficiently random ports: RFC6056 was still more than a year
>> in the future.
>> I'm sure that code could be simplified now.
>> Simon.
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss@lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Dnsmasq-discuss mailing list

Reply via email to