<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Hello. I have another update with more information. It turns out this statement I made isn’t entirely accurate:
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">“Since I knew this did not happen with 2.78 I also tried Dnsmasq versions 2.79 and 2.80 and this does not happen.”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This is true when IPv6 is disabled but if I remove the -DNO_IPV6 flag in the CFLAGS I can get it to happen. Without the -DNO_IPV6 version 2.80 uses ~195 file descriptors and version 2.78 uses ~45 file descriptors.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">To get around this we’re going to roll back to version 2.80 from 2.81, use the -DNO_IPV6 flag, and apply the patch for CVE-2019-14834.<span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> WU, CHRIS <br>
<b>Sent:</b> Wednesday, October 21, 2020 8:02 PM<br>
<b>To:</b> 'dnsmasq-discuss@lists.thekelleys.org.uk' <dnsmasq-discuss@lists.thekelleys.org.uk><br>
<b>Subject:</b> RE: excessive file descriptor usage after upgrading to 2.81<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have more information about what’s happening. It seems that the large number of file descriptors doesn’t change when you leave dnsmasq running. However, I realized that if I restarted dnsmasq that the number of file descriptors in use
went back to normal (less than twenty). <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I looked in /var/log/messages and I saw that there were an excessive number of these failures when dnsmasq initially started after boot. The date is Jan 1 because the clock hadn’t been set yet at this point.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Jan 1 01:00:00 dnsmasq[1149]: failed to create listening socket for 127.0.0.1: Address already in use<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Jan 1 01:00:00 dnsmasq[1149]: failed to create listening socket for 127.0.0.1: Address already in use<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Jan 1 01:00:00 dnsmasq[1149]: failed to create listening socket for 127.0.0.1: Address already in use<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Jan 1 01:00:00 dnsmasq[1149]: failed to create listening socket for 127.0.0.1: Address already in use<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal">The message is printed by the “make_sock” function. I don’t see where it changed significantly between 2.80 and 2.81.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When I looked up how many times this error appears I found that it is almost equal to the number of file descriptors dnsmasq has open.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"># grep -i failed.to.create /var/log/messages* | wc -l<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">140<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"># lsof -P -n | grep dnsmasq | grep -i udp | wc -l<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in">144<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The “can't identify protocol” in my earlier message was because I was using a version of lsof that didn’t support v6 sockets. After uprading to a newer version of lsof those messages went away.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> WU, CHRIS <br>
<b>Sent:</b> Thursday, October 15, 2020 7:48 PM<br>
<b>To:</b> 'dnsmasq-discuss@lists.thekelleys.org.uk' <<a href="mailto:dnsmasq-discuss@lists.thekelleys.org.uk">dnsmasq-discuss@lists.thekelleys.org.uk</a>><br>
<b>Subject:</b> excessive file descriptor usage after upgrading to 2.81<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello. We’ve been using Dnsmasq version 2.78 for quite a while but upgraded to 2.81 because of CVE-2019-14834. Upon inspecting the output of lsof we realized that Dnsmasq is using almost 200 file descriptors upon boot and after an hour
later the number remains unchanged. Since I knew this did not happen with 2.78 I also tried Dnsmasq versions 2.79 and 2.80 and this does not happen. It looks like it started with 2.81 and also happens with 2.82. My operating environment is armv7l GNU/Linux.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here's an example of (clipped) output of lsof:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">version 2.81 (195 file descriptors open)<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 187u inet 2847 UDP 10.10.12.1:53<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 188u sock 0,7 2849 can't identify protocol<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 189u inet 2853 UDP 10.10.15.1:53<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 190u inet 2855 UDP 10.10.12.1:53<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 191u sock 0,7 2857 can't identify protocol<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 192u inet 2886 UDP 10.10.15.1:53<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 193u inet 2888 UDP 10.10.12.1:53<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 194u sock 0,7 2890 can't identify protocol<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 1222 nobody 195u sock 0,7 2893 can't identify protocol<o:p></o:p></p>
<p class="MsoNormal">[root@U115 ~]# dnsmasq -v<o:p></o:p></p>
<p class="MsoNormal">Dnsmasq version 2.81 Copyright (c) 2000-2020 Simon Kelley<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">version 2.80<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 4893 nobody 10r 0000 0,9 0 6 anon_inode<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 4893 nobody 11r FIFO 0,8 6848 pipe<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 4893 nobody 12w FIFO 0,8 6848 pipe<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 4893 nobody 13u unix 0xf7791905 6850 socket<o:p></o:p></p>
<p class="MsoNormal">[root@U115 ~]# dnsmasq -v<o:p></o:p></p>
<p class="MsoNormal">Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">version 2.79<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 466 nobody 7u inet 1760 TCP 127.0.0.1:53 (LISTEN)<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 466 nobody 8u inet 1761 UDP 127.0.0.1:53<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 466 nobody 9u inet 1762 TCP 127.0.0.1:53 (LISTEN)<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 466 nobody 10r 0000 0,9 0 6 anon_inode<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 466 nobody 11r FIFO 0,8 1763 pipe<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 466 nobody 12w FIFO 0,8 1763 pipe<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 466 nobody 13u unix 0xea856025 1765 socket<o:p></o:p></p>
<p class="MsoNormal">[root@U115 ~]# dnsmasq -v<o:p></o:p></p>
<p class="MsoNormal">Dnsmasq version 2.79 Copyright (c) 2000-2018 Simon Kelley<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">version 2.78<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 430 nobody 10r 0000 0,9 0 6 anon_inode<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 430 nobody 11r FIFO 0,8 460 pipe<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 430 nobody 12w FIFO 0,8 460 pipe<o:p></o:p></p>
<p class="MsoNormal">dnsmasq 430 nobody 13u unix 0xcc699e5c 462 socket<o:p></o:p></p>
<p class="MsoNormal">[root@U115 ~]# dnsmasq -v<o:p></o:p></p>
<p class="MsoNormal">Dnsmasq version 2.78 Copyright (c) 2000-2017 Simon Kelley<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">.<o:p></o:p></p>
</div>
</body>
</html>