[Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface
Simon Kelley
simon at thekelleys.org.uk
Sat Sep 14 20:36:09 BST 2019
On 13/09/2019 13:37, Tore Anderson wrote:
> * Tore Anderson
>
>> Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as appropriate:
>>
>> log-queries
>> no-hosts
>> no-resolv
>> server=1.1.1.1 at wlp2s0
>>
>> Start Dnsmasq and send it a TCP query:
>>
>> $ src/dnsmasq -d -p 5333
>
> Bisected:
>
> 305ffb5ef0ba5ab1df32ef80f266a4c9e395ca13 is the first bad commit
> commit 305ffb5ef0ba5ab1df32ef80f266a4c9e395ca13
> Author: Simon Kelley <simon at thekelleys.org.uk>
> Date: Sat Mar 16 18:17:17 2019 +0000
>
> Improve kernel-capability manipulation code under Linux.
>
> Dnsmasq now fails early if a required capability is not available,
> and tries not to request capabilities not required by its
> configuration.
>
> :100644 100644 b942ec269cc6c1b7614a9d57cb0b9468507f031c f2d38a0f9bb73b4f480cd323f49cd574fc3e2744 M CHANGELOG
> :040000 040000 a4dd29e7fbdac449dd9b502e012beb2c25a47387 7b0eb0f197c0cb857981c607be8b08d62cee9ff3 M src
>
> After some more debugging I realised that this is a heisenbug.
>
> Starting Dnsmasq with the «-d» option does not accurately reproduce the problem, since it will not drop privileges in debug mode.
>
> To me it looks as if using a server specified with an interface requires root privileges.
>
> Thus, to trigger the actual bug, there are two options:
>
> 1) Start Dnsmasq as non-root (broken on any version, at least since v2.80).
> 2) Start Dnsmasq as root (this works in v2.80, but is broken since 305ffb5 presumably because Dnsmasq now drops privileges it is going to need later on).
>
Nicely analysed. My guess is that the code which determines (at startup)
if the process needs to keep CAP_NET_BIND_SERVICE when it drops root
fails in this case. If this is corrected, then starting dnsmasq with
this config as non-root should fail at startup.
Back in a mo.....
Simon.
> Tore
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list