Bug in jruby resolv.rb causes intermittent DNS lookup failures on agent run

[dmz-uk]

The resolver library in jruby (resolv/lib/resolv.rb) has a bug where it ignores the OS ephemeral port range and instead attempts random UDP ports in the range 1024..65535 until it finds one that is unused. This causes puppet agent runs to experience intermittent DNS lookup failures on systems that are subject to strict firewalling either locally or externally to the system. This has also been raised as a ruby issue here

DNS lookup fails during puppet agent run when it is expected to succeed.

Steps to reproduce the behavior:

1. configure a system such that the ephemeral port range is restricted, and firewall ports outside of this range.
2. run puppet agent
3. failure rate depends on the random ports attempted, the more restrictive the range, the more likely failure is.

Tested on AlmaLinux 8.10 where the default /proc/sys/net/ipv4/ip_local_port_range is 32768 .. 60999 but this should apply to most modern distro variants / OSes.

See the ruby bug for additional details - it should be sufficient to remove the dependence on a secure random number generator altogether (which has generated CVEs in the past) and instead push the security to the OS to determine the ephemeral port and use port = 0 for UDP binds.

[cthorn42]

@dmz-uk could you give us a bit more information, what version of Puppet are you using and what version of JRuby?

[dmz-uk]

@cthorn42 The issue was discovered on the older puppet-agent 7.33.0 from the puppetlabs yum repository packaged for el8, running on AlmaLinux 8 (puppet-agent-7.33.0-1.el8.x86_64) - the jruby is contained in the package (/opt/puppetlabs/puppet/lib/ruby/2.7.0/resolv.rb). However, the issue as identified appears to still exist unmodified in the trunk of both puppet and jruby. (edited to include mention as this reply may have got lost in noise)