Hi Simon, I am sure this is already an old issue. I forgot to mark patch presence in subject. I proposed a way to fallback to kernel assigned outgoing ports. Is it unacceptable? Have you even noticed the patches? Could you check if they could be used?
I think any new deployments of dnsmasq would have working random ports generation built into kernel. Disadvantage of current code is it does not follow sysctl net.ipv4.ip_local_port_range configured in kernel. Cheers, Petr On 8/21/18 11:24 PM, Simon Kelley wrote: > On 10/08/18 13:37, Petr Menšík wrote: >> Hello, >> >> we discovered our dnsmasq were using also privileged source ports when >> sending queries. Interesting enough, it has right to do it, because it >> has to listen also on privileged port. It never drops such privilege. >> >> It was fixed in commit [1]. But my question is, why is there even custom >> generator or random ports, when OS can do it itself? And usually far >> better? So I dug a bit into it and came with patch, that would use >> random ports from OS by default. >> >> When I tested it, I got the same results when skipping bind() call on >> random ports at all. Is there some reason, why dnsmasq does not follow >> OS policy for source outgoing port and choses its own range by itself? >> >> 1. >> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=baf553db0cdb50707ddab464fb3eff7786ea576c >> > > The random port code was added to dnsmasq in response to the Kaminsky > Birthday attack paper, which was in 2009. At that point, there were > still people seriously running routers (and therefore dnsmasq) on Linux > 2.0 kernels. As best I remember, I did it the way I did because I > couldn't be sure that all the platforms dnsmasq would run on would > allocate sufficiently random ports: RFC6056 was still more than a year > in the future. > > > I'm sure that code could be simplified now. > > Simon. > > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss