[Dnsmasq-discuss] dnsmasq stable bug report
Simon Kelley
simon at thekelleys.org.uk
Mon Mar 28 09:09:02 UTC 2022
I think I might quibble that this is a bug: there are no promises about
the effective userid when a port is opened.
The reason it's like this is that if dnsmasq changed to unprivileged
user dnsmasq before creating the UDP port, then that action would fail
if the port number was less than 1024, since only root can bind
so-called privileged ports <1024.
For TCP connections, query-port has no effect, which is documented, AFAIR.
Note that by using query-port you lose source-port randomisation, which
is a much bigger loss of security than you can hope to gain with
firewall games.
Simon.
On 28/03/2022 03:16, dnsmasq at riseup.net wrote:
> WITHOUT 'query-port=13371' in dnsmasq conf file:
> - dnsmasq make a UDP connection with user dnsmasq
> - dnsmasq make a TCP connection with user dnsmasq
>
> WITH 'query-port=13371' in dnsmasq conf file:
> - dnsmasq make a UDP connection (from port 13371) "without user dnsmasq"
> [BUG]
> - dnsmasq make a TCP connection with user dnsmasq
>
> Expected Result:
> - Requests made with "query-port" should be done with user dnsmasq
>
> Actual Result:
> - Requests made with "query-port" does not have proper user, blocked by
> firewall.
>
>
> densmasq(-base): stable 2.85-1
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list