dnscrypt-proxy configured to run as user & init binds to dns port

beaker23 · 2016-10-19 02:30:41

I'm not sure if this is normal, couldn't really find anything on it.

I have dnscrypt-proxy configured to run on port 40 as a user dnscrypt, and dnsmasq is configured to run a local dns cache.

I see dnsmasq properly binding to port 53 and everything works well, but I've noticed that init binds to port 40 instead of dnscrypt. Is this normal?

Here is some config information:

# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:40            0.0.0.0:*               LISTEN      1/init                       
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2981/dnsmasq        
tcp        0      0 127.0.0.1:39416         0.0.0.0:*               LISTEN      3583/stunnel        
tcp        0      0 127.0.0.1:3100          0.0.0.0:*               LISTEN      3585/openvpn                 
udp        0      0 127.0.0.1:40            0.0.0.0:*                           1/init              
udp        0      0 0.0.0.0:53              0.0.0.0:*                           2981/dnsmasq        
udp        0      0 0.0.0.0:68              0.0.0.0:*                           2974/dhcpcd         
udp        0      0 0.0.0.0:51004           0.0.0.0:*                           2975/dnscrypt-proxy

dnscrypt-proxy.service

[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy.socket
After=network.target
Before=nss-lookup.target

[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target

[Service]
Type=simple
NonBlocking=true

# Fill in the resolver name with one from dnscrypt-resolvers.csv file
# It is also recommended to create a dedicated system user, for example _dnscrypt
# Additional features, such as ephemeral keys and plugins, can be enabled here as well
ExecStart=/usr/bin/dnscrypt-proxy \
          --resolver-name=dnscrypt.eu-dk
	  --user=dnscrypt

dnscrypt-proxy.socket

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40

dnsmasq.conf

no-resolv
server=127.0.0.1#40
listen-address=127.0.0.1
proxy-dnssec

resolv.conf

# Generated by resolvconf
nameserver 127.0.0.1

/etc/passwd entry for dnscrypt

dnscrypt:x:991:991::/var/dnscrypt:/sbin/nologin

# ps aux | grep dnscrypt-proxy
root      2975  0.0  0.0  32676  3088 ?        SLs  18:31   0:00 /usr/bin/dnscrypt-proxy --resolver-name=dnscrypt.eu-dk

Should init be binding to port 40 like it is or is something wrong? I thought I would've seen dnscrypt bind to port 40 instead of init.

Also still trying to get dnscrypt-proxy to drop the root privilege per:

https://bugs.archlinux.org/task/49881

and

https://wiki.archlinux.org/index.php/Dn … privileges

Do I need to use a port other than 40, something that is in the unprivileged range?

lolilolicon · 2016-10-19 05:24:42

I believe it's working correctly. Since you're using systemd.socket to set up the socket, then pass it to dnscrypt to use. So, the owner of port 40 is PID 1, not dnscrypt.

Relevant read: http://0pointer.de/blog/projects/socket … iners.html

Last edited by lolilolicon (2016-10-19 05:31:59)

Arch Linux

#1 2016-10-19 02:30:41

dnscrypt-proxy configured to run as user & init binds to dns port

#2 2016-10-19 05:24:42

Re: dnscrypt-proxy configured to run as user & init binds to dns port

Board footer