I think I might quibble that this is a bug: there are no promises about
the effective userid when a port is opened.
The reason it's like this is that if dnsmasq changed to unprivileged
user dnsmasq before creating the UDP port, then that action would fail
if the port number was less than 1024, since only root can bind
so-called privileged ports <1024.
For TCP connections, query-port has no effect, which is documented, AFAIR.
Note that by using query-port you lose source-port randomisation, which
is a much bigger loss of security than you can hope to gain with
firewall games.
Simon.
On 28/03/2022 03:16, dnsm...@riseup.net wrote:
WITHOUT 'query-port=13371' in dnsmasq conf file:
- dnsmasq make a UDP connection with user dnsmasq
- dnsmasq make a TCP connection with user dnsmasq
WITH 'query-port=13371' in dnsmasq conf file:
- dnsmasq make a UDP connection (from port 13371) "without user dnsmasq"
[BUG]
- dnsmasq make a TCP connection with user dnsmasq
Expected Result:
- Requests made with "query-port" should be done with user dnsmasq
Actual Result:
- Requests made with "query-port" does not have proper user, blocked by
firewall.
densmasq(-base): stable 2.85-1
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
