[Dnsmasq-discuss] No more random source port if "--enable-dbus" is used and NM plugin

Geert Stappers stappers at stappers.nl
Fri Aug 7 19:51:07 BST 2020 

On Fri, Aug 07, 2020 at 07:09:52PM +0300, Michael Aramanovich wrote:
> (continuation of
> http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q1/011315.html
> )
> 
> Hello
> back in 2017 there was already an attempt to solve this , but it led to
> nothing, unfortunately.
> 
> However, the problem is still easily reproducible on Centos 7, Centos 8,
> with dnsmasq 2.76 / 2.79  (and the most recent ones as well).

Acknowlegde on the "and the most recent ones as well"


> How to reproduce:
> - configure NetworkManager and enable dnsmasq plugin: in
> /etc/NetworkManager/NetworkManager.conf, add:
> 
> # This enabled the dnsmasq plugin.
> [main]
> dns=dnsmasq
> 
> - restart NetworkManager. After that, the dnsmasq process will appear with
> the following options:
> 
> /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
> --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid
> --listen-address=127.0.0.1 --cache-size=400 --clear-on-reload
> --conf-file=/dev/null --proxy-dnssec
> --enable-dbus=org.freedesktop.NetworkManager.dnsmasq
> --conf-dir=/etc/NetworkManager/dnsmasq.d
> 
> Since then, every request to the upstream DNS server will be sent by
> dnsmasq with the SAME local source port.  Moreover, setting or changing any
> of the options - --query-port, --min-port, --max-port does not make any
> sense and these options are definitely ignored by dnsmasq if it runs with
> the "--enable-dbus" option.
> 
> As a result, all the DNS requests are coming with the same udp source port
> , which violates RFC 5452 p.4.5 ;    at some point this "session" is
> blocked by Juniper with DNS algo enabled.

Oops
 
> Please advise if this is a dnsmasq bug, or there are any other
> configuration options (either in dnsmasq or NetworkManager) to avoid this
> and force dnsmasq to use a random UDP source port for upstream queries.

IIUC is is it the combo of Juniper with "DNS algo", Network Manager
and dnsmasq. 

Reproducing the issue without NM will help to fingerpoint to dnsmasq ...

 
> Regards
> Michael

Groeten
Geert Stappers
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list