-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publishing udp range larger than 16383 ending with 65535 breaks dns resolution on user defined networks with root networking. #473
Comments
Because you exhaust the ephemeral port range on the host with the ports. As such the aardvark-dns can no longer make dns requests on its own. At least that is the error condition. It is not clear from the strace but it looks like aardvark-dns requests a random port on bind not 0 where the kernel should assign a random free one Thus it is likely a bug in aardvark-dns as it should just bind port 0 because if we look in the kernel there is still plenty of space. $ cat /proc/sys/net/ipv4/ip_local_port_range |
I'm sorry, I don't completely follow. Why would freeing up port 65535 fix it if this was the case, since it's well outside of the ip_local_port_range and the chance of it being picked randomly seems extremely low? |
I agree that is seems odd to we hit 65535 randomly but I looked at the code and this is what our lib is doing, it also does not respect ip_local_port_range at all. No idea why they did this instead of just binding to 0 and let the kernel pick the port. |
Note that I linked the new range there that is not in a new release yet so we do not make use of it, And if I look at the strace output we have thousands of bind retires so It makes sense that it hit the one free one eventually. |
I created hickory-dns/hickory-dns#2260 over there |
Issue Description
When publishing a udp range larger than 16383 ports ending with 65535, dns resolution on user defined networks stops working. I could only reproduce it with larger ranges ending with 65535.
(the intended use-case was coturn)
Steps to reproduce the issue
Steps to reproduce the issue
Describe the results you received
DNS requests inside container time out.
Describe the results you expected
DNS requests inside container get a response.
podman info output
Podman in a container
No
Privileged Or Rootless
Privileged
Upstream Latest Release
No
Additional environment details
QEMU/KVM (netcup.eu)
Additional information
No response
The text was updated successfully, but these errors were encountered: