[Dnsmasq-discuss] TCP queries are refused if upstream server is specified with interface
simon at thekelleys.org.uk
Sat Sep 14 20:36:09 BST 2019
On 13/09/2019 13:37, Tore Anderson wrote:
> * Tore Anderson
>> Start out with the following /etc/dnsmasq.conf, replacing «wlp2s0» as appropriate:
>> server=22.214.171.124 at wlp2s0
>> Start Dnsmasq and send it a TCP query:
>> $ src/dnsmasq -d -p 5333
> 305ffb5ef0ba5ab1df32ef80f266a4c9e395ca13 is the first bad commit
> commit 305ffb5ef0ba5ab1df32ef80f266a4c9e395ca13
> Author: Simon Kelley <simon at thekelleys.org.uk>
> Date: Sat Mar 16 18:17:17 2019 +0000
> Improve kernel-capability manipulation code under Linux.
> Dnsmasq now fails early if a required capability is not available,
> and tries not to request capabilities not required by its
> :100644 100644 b942ec269cc6c1b7614a9d57cb0b9468507f031c f2d38a0f9bb73b4f480cd323f49cd574fc3e2744 M CHANGELOG
> :040000 040000 a4dd29e7fbdac449dd9b502e012beb2c25a47387 7b0eb0f197c0cb857981c607be8b08d62cee9ff3 M src
> After some more debugging I realised that this is a heisenbug.
> Starting Dnsmasq with the «-d» option does not accurately reproduce the problem, since it will not drop privileges in debug mode.
> To me it looks as if using a server specified with an interface requires root privileges.
> Thus, to trigger the actual bug, there are two options:
> 1) Start Dnsmasq as non-root (broken on any version, at least since v2.80).
> 2) Start Dnsmasq as root (this works in v2.80, but is broken since 305ffb5 presumably because Dnsmasq now drops privileges it is going to need later on).
Nicely analysed. My guess is that the code which determines (at startup)
if the process needs to keep CAP_NET_BIND_SERVICE when it drops root
fails in this case. If this is corrected, then starting dnsmasq with
this config as non-root should fail at startup.
Back in a mo.....
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss