[Dnsmasq-discuss] bind-dynamic versus bind-interface

Fri Nov 23 14:05:21 GMT 2012

On 23/11/12 12:50, Gene Czarcinski wrote:
> Libvirt is in the process of changing for using bind-interface to using
> bind-dynamic to fix a security related issue where dnsmasq was
> responding to port 53 queries which did not occur on an address on the
> virtual network interface that instance of dnsmasq was supporting.
> 

This is a real can of worms. There are now three different "modes" which
have different pros and cons, and a deep understanding of the issues is
required to select the correct one in any given situation. The best I
can do is to try and explain.

The aims when writing a UDP server are to accept UDP packets containing
requests from a configured subset of the the server's interfaces, and
send replies which have source address equal the destination address of
the corresponding request.

The classic way to do this is to find the address(es) assigned to host's
interface(s), remove from this set any addresses belonging to interfaces
which we don't want to serve, and then create a set of sockets, each one
bound to one of the interface addresses. A request arrives at the
socket, the reply is created and sent back over the same socket. This
ensures that the source address of the reply is correct.

The second way is to bind a single socket to the wildcard address. When
a request arrives at that socket, some funky, non-portable, API is used
to determine which interface the request arrived on (this allows
filtering) and the address it was sent to. The reply is sent back over
the same wildcard socket, using another non-portable API to set the
source address to the address to which the original request was sent.

The advantage of the first method is that it works everywhere because it
uses only Posix calls. In addition it allows for than one server process
on the same port, as long as they are listening on different addresses.
The disadvantage is that it fails if the set of interfaces or their
addresses change over time. Finally, it fails  if a request arrives at
an interface which should be ignored, but sent to the address of an
interface which on which service is provided. (This is  the libvirt
security hole).

The second method fixes both disadvantages of the first method: it's
immune to interface changes and it doesn't have the security hole. It
fails to allow more than one server on a machine, and it's not possible
on some platforms because they don't provide any form of the
non-portable API. (This still applies to netBSD, I think.)

Bind-dynamic tries to keep the good bits of the two existing modes and
remove the disadvantages. It uses a separate socket for each address
(multiple server processes OK) but also checks the arrival interface (no
security hole). Finally, it hooks OS events that trigger when interfaces
change, and rescans the interfaces and addresses, so it works when
interfaces come and go. The disadvantage is that this needs even more
non-portable API, such that only works on Linux.

> OK, now a question.  Are there conditions where using bind-interface
> preferred instead of bind-dynamic?  I assume that, "continues to work"
> like it has in the past, is not a valid reason.
>

The only reason to use bind-interfaces instead of bind-dynamic is that
you are, or might be, running on something other than Linux. Under these
circumstances, if dnsmasq is configured with --bind-dynamic, it will log
a warning and fall back to --bind-interfaces. Similarly, on the
platforms like netBSD where the "bind-wildcard" mode can't be supported,
it has always fallen back on --bind-interfaces.

Cheers,

Simon.