[Dnsmasq-discuss] [PATCH] Issues with TCP queries on recreated interfaces.

Petr Mensik pemensik at redhat.com
Tue Jul 9 13:31:16 BST 2019


Hello Simon and others,

we have discovered issues with TCP DNS query on dnsmasq, when running in
bind-dynamic or bind-interfaces mode. dnsmasq scans automatically new
interfaces or do that on new query in second case. However, because used
speedup comparing only IP adresses in iface_allowed function, it never
gets updated index of an interface.

In case where named interface is destroyed and created again, that drops
TCP queries on that interface. They are checked for incoming interface
number. If such number is not found in interfaces list, query is denied.

Luckily, there was a bug in checking, hiding this problem from usual
configuration. If IPv6 address is enabled on the new device, new iface
entry would be created, because scope_id of sockaddr_in6 does not match
previous. That makes even IPv4 queries succeed.

Bug on bugzilla [1] is partly private.

I propose three changes. First is just helper to log what happens with
listeners on bind-dynamic configuration.

Second is the most important. Create new interface every time index
changes. Also test address family of incoming TCP query when checking
allowed clients.

Third is cleanup of unused interfaces. On some virtual machines hosts,
interfaces may often be created and destroyed. It might have negative
effect on walking trough interfaces list. I think listeners should be
garbage collected also on bind-interfaces configuration. But for now,
release memory for unused interfaces at least for bind-dynamic.

1. https://bugzilla.redhat.com/show_bug.cgi?id=1721668
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Cleanup-interfaces-no-longer-available.patch
Type: text/x-patch
Size: 2015 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20190709/b20db488/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Compare-address-and-interface-index-for-allowed-inte.patch
Type: text/x-patch
Size: 1720 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20190709/b20db488/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Log-listening-on-new-interfaces.patch
Type: text/x-patch
Size: 1703 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20190709/b20db488/attachment-0002.bin>


More information about the Dnsmasq-discuss mailing list