[Dnsmasq-discuss] No more random source port if "--enable-dbus" is used and NM plugin

Geert Stappers stappers at stappers.nl
Sat Aug 8 09:07:02 BST 2020 

On Fri, Aug 07, 2020 at 08:51:07PM +0200, Geert Stappers wrote:
> On Fri, Aug 07, 2020 at 07:09:52PM +0300, Michael Aramanovich wrote:
> > (continuation of
> > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q1/011315.html
> > )
> > 
> > Hello
> > back in 2017 there was already an attempt to solve this , but it led to
> > nothing, unfortunately.
> > 
> > However, the problem is still easily reproducible on Centos 7, Centos 8,
> > with dnsmasq 2.76 / 2.79  (and the most recent ones as well).
> 
> Acknowlegde on the "and the most recent ones as well"
> 
> 
> > How to reproduce:
> > - configure NetworkManager and enable dnsmasq plugin: in
> > /etc/NetworkManager/NetworkManager.conf, add:
> > 
> > # This enabled the dnsmasq plugin.
> > [main]
> > dns=dnsmasq
> > 
> > - restart NetworkManager. After that, the dnsmasq process will appear with
> > the following options:
> > 
> > /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts
> > --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid
> > --listen-address=127.0.0.1 --cache-size=400 --clear-on-reload
> > --conf-file=/dev/null --proxy-dnssec
> > --enable-dbus=org.freedesktop.NetworkManager.dnsmasq
> > --conf-dir=/etc/NetworkManager/dnsmasq.d
> > 
> > Since then, every request to the upstream DNS server will be sent by
> > dnsmasq with the SAME local source port.  Moreover, setting or changing any
> > of the options - --query-port, --min-port, --max-port does not make any
> > sense and these options are definitely ignored by dnsmasq if it runs with
> > the "--enable-dbus" option.
> > 
> > As a result, all the DNS requests are coming with the same udp source port
> > , which violates RFC 5452 p.4.5 ;    at some point this "session" is
> > blocked by Juniper with DNS algo enabled.
> 
> Oops

Now the URLs

 https://tools.ietf.org/html/rfc5452#section-4.5

 https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dns-algs.html


> > Please advise if this is a dnsmasq bug, or there are any other
> > configuration options (either in dnsmasq or NetworkManager) to avoid this
> > and force dnsmasq to use a random UDP source port for upstream queries.
> 
> IIUC is is it the combo of Juniper with "DNS algo", Network Manager
> and dnsmasq. 
> 
> Reproducing the issue without NM will help to fingerpoint to dnsmasq ...
> 
>  
> > Regards
> > Michael

Groeten
Geert Stappers
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list