[Dnsmasq-discuss] dnsmasq stable bug report

Simon Kelley simon at thekelleys.org.uk
Mon Mar 28 09:09:02 UTC 2022


I think I might quibble that this is a bug: there are no promises about 
the effective userid when a port is opened.

The reason it's like this is that if dnsmasq changed to unprivileged 
user dnsmasq before creating the UDP port, then that action would fail 
if the port number was less than 1024, since only root can bind 
so-called privileged ports <1024.

For TCP connections, query-port has no effect, which is documented, AFAIR.

Note that by using query-port you lose source-port randomisation, which 
is a much bigger loss of security than you can hope to gain with 
firewall games.

Simon.




On 28/03/2022 03:16, dnsmasq at riseup.net wrote:
> WITHOUT 'query-port=13371' in dnsmasq conf file:
> - dnsmasq make a UDP connection with user dnsmasq
> - dnsmasq make a TCP connection with user dnsmasq
> 
> WITH 'query-port=13371' in dnsmasq conf file:
> - dnsmasq make a UDP connection (from port 13371) "without user dnsmasq"
> [BUG]
> - dnsmasq make a TCP connection with user dnsmasq
> 
> Expected Result:
> - Requests made with "query-port" should be done with user dnsmasq
> 
> Actual Result:
> - Requests made with "query-port" does not have proper user, blocked by
> firewall.
> 
> 
> densmasq(-base): stable 2.85-1
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 



More information about the Dnsmasq-discuss mailing list