Description
The resolver library in jruby (resolv/lib/resolv.rb) has a bug where it ignores the OS ephemeral port range and instead attempts random UDP ports in the range 1024..65535 until it finds one that is unused. This causes puppet agent runs to experience intermittent DNS lookup failures on systems that are subject to strict firewalling either locally or externally to the system. This has also been raised as a ruby issue here
DNS lookup fails during puppet agent run when it is expected to succeed.
Steps to reproduce the behavior:
- configure a system such that the ephemeral port range is restricted, and firewall ports outside of this range.
- run puppet agent
- failure rate depends on the random ports attempted, the more restrictive the range, the more likely failure is.
Tested on AlmaLinux 8.10 where the default /proc/sys/net/ipv4/ip_local_port_range is 32768 .. 60999 but this should apply to most modern distro variants / OSes.
See the ruby bug for additional details - it should be sufficient to remove the dependence on a secure random number generator altogether (which has generated CVEs in the past) and instead push the security to the OS to determine the ephemeral port and use port = 0 for UDP binds.