[Dnsmasq-discuss] Issues with DNSMASQ Retries using same port

Simon Kelley simon at thekelleys.org.uk
Sat Feb 26 16:51:53 UTC 2022 


On 25/02/2022 23:27, Singh, Prashant wrote:
> Hi Simon,
> 
> Thanks for the reply. I am curious about what could be the potential consequences of this change in behavior. Would you please help me understand, wondering if that would put us in different problem?
> 
> Also would introducing  a new flag just for this feature be helpful in this case ?


Prashant,


As Amazon are using this commercially, would you be willing to engage me 
as a consultant to work on this?


There are two possible problems. One is exhaustion of ports or file 
descriptors. There are some quite complicated code paths to handle 
exhaustion of the limits for these. They would still work if queries 
used more ports, but the behavior under load and resistance to DoS might 
change. It needs thinking about.

The second is resistance to the Kaminsky attack: You are proposing a new 
random port for each retry, which halves the attackers work in guessing 
the port/id combination for each retry, since there are twice as many 
possible ports. Multiple retrys are therefore a route to cache poisoning 
attacks as well as DoS. There has been a lot of work on the code base 
going in exactly the opposite direction to what you propose, combining 
identical queries/retrys into a single upstream query from a single 
random port.

Finally, adding a flag to change behaviour needs to pass the test of 
being able to explain what the mysterious config flag does, and what 
it's for and when someone would use it. Much better to tweak the 
standard behavior to work better, if possible.

Cheers,

Simon.


> 
> Thanks,
> Prashant
> 
> On 2/25/22, 3:21 PM, "Dnsmasq-discuss on behalf of Simon Kelley" <dnsmasq-discuss-bounces at lists.thekelleys.org.uk on behalf of simon at thekelleys.org.uk> wrote:
> 
>      CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.
> 
> 
> 
>      On 25/02/2022 21:25, Singh, Prashant via Dnsmasq-discuss wrote:
>      > Hi Simon,
>      >
>      > We use DNSMASQ for resolving/forwarding the dns queries of the
>      > applications hosted. We started seeing a few errors in dns resolutions.
>      > We investigated and found that the issue was due to the corrupted
>      > network path the request took. And it takes around 7 to 8 secs for
>      > network path taken to heal, hence all the retries were also failing as
>      > they took same network path.
>      >
>      > We were exploring ways if we can force the dnsmasq to use different
>      > source port for retries so that retried requests can take random network
>      > path rather than bad network path.
>      >
>      > I wanted to know the reasoning behind (if there is) the choice of using
>      > the same source port for retries. And is it possible to have a
>      > patch/flag in dnsmasq to update this logic?
> 
>      Dnsmasq treats file descriptors and source ports as a scarce resource
>      and re-uses when it can, without affecting security.
> 
>      The logic is in the function allocate_rfd(), and it would be fairly
>      trivial to change the behavior, but there might be unexpected
>      consequences under load.
> 
> 
>      Cheers,
> 
>      Simon.
> 
> 
> 
> 
> 
>      >
>      > Thanks,
>      >
>      > Prashant
>      >
>      >
>      > _______________________________________________
>      > Dnsmasq-discuss mailing list
>      > Dnsmasq-discuss at lists.thekelleys.org.uk
>      > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 
>      _______________________________________________
>      Dnsmasq-discuss mailing list
>      Dnsmasq-discuss at lists.thekelleys.org.uk
>      https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>

More information about the Dnsmasq-discuss mailing list