[Dnsmasq-discuss] Sad DNS vulnerability

WU, CHRIS cw1921 at att.com
Tue Dec 8 00:51:22 GMT 2020


Hello.  I read this story on ZDnet about a DNS cache poisoning vulnerability and it mentions dnsmasq as one of the affected applications.

https://www.zdnet.com/article/dns-cache-poisoning-poised-for-a-comeback-sad-dns/

Is there anything that you suggest to limit the exposure to this vulnerability?  The article suggests these two steps:

The simplest mitigation, though, is to disallow outgoing ICMP replies altogether. This comes at the potential cost of losing some network troubleshooting and diagnostic features.

Another easy fix is to set the timeout of DNS queries more aggressively. For example, you should set it so that's less than a second. This way the source port will be short-lived and disappear before the attacker can start injecting rogue responses. The downside, however, is the possibility of introducing more retransmitted queries and overall worse performance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20201208/7b2af409/attachment-0001.html>


More information about the Dnsmasq-discuss mailing list