<style class="ke-style">
[list-style-type] {padding-left:20px;list-style-position:inside}
[list-style-type] li {margin:0}
[list-style-type] li:before, span.ke-list-item-matter {font-family:"sans serif",tahoma,verdana,helvetica}
[list-style-type] li p,[list-style-type] li h1,[list-style-type] li h2,[list-style-type] li h3,[list-style-type] li h4,[list-style-type] li h5,[list-style-type] li div,[list-style-type] li blockquote{display:inline;word-break:break-all}
[list-style-type] li table {display:inline-block;vertical-align:top}
p{margin:0}
td {word-break: break-word}
.default-font-1755605833299{
font-size:14px;
}
</style><div class="default-font-1755605833299" dir="ltr"><p data-start="156" data-end="185">Dear Dnsmasq Security Team,</p>
<p data-start="187" data-end="499">We would like to responsibly disclose a <strong data-start="227" data-end="269">critical cache poisoning vulnerability</strong> affecting the Dnsmasq DNS software. The issue allows attackers to inject arbitrary malicious DNS resource records and poison domain names <strong data-start="408" data-end="449">without requiring advanced techniques</strong>, only by leveraging a single special character.</p>
<h3 data-start="501" data-end="519">Report Summary</h3><ul data-start="520" data-end="967"><li data-start="520" data-end="585"><p data-start="522" data-end="585"><strong data-start="522" data-end="545">Vulnerability Type:</strong> Logic flaw in cache poisoning defense</p></li><li data-start="586" data-end="635"><p data-start="588" data-end="635"><strong data-start="588" data-end="610">Affected Software:</strong> Dnsmasq (all versions)</p></li><li data-start="636" data-end="662"><p data-start="638" data-end="662"><strong data-start="638" data-end="651">Severity:</strong> Critical</p></li><li data-start="663" data-end="775"><p data-start="665" data-end="775"><strong data-start="665" data-end="684">Exploitability:</strong> Off-path attackers can brute-force TxID and source port within an extended attack window</p></li><li data-start="776" data-end="865"><p data-start="778" data-end="865"><strong data-start="778" data-end="794">Attack Name:</strong> <strong data-start="795" data-end="810">SHAR Attack</strong> (Single-character Hijack via ASCII Resolver-silence)</p></li><li data-start="866" data-end="920"><p data-start="868" data-end="920"><strong data-start="868" data-end="885">Success Rate:</strong> 20/20 successful attack attempts</p></li><li data-start="921" data-end="967"><p data-start="923" data-end="967"><strong data-start="923" data-end="950">Average Execution Time:</strong> ~9,469 seconds</p></li></ul><h3 data-start="969" data-end="985">Key Findings</h3><ol data-start="986" data-end="1478"><li data-start="986" data-end="1093"><p data-start="989" data-end="1093">Dnsmasq forwards queries with special characters (e.g., <code data-start="1045" data-end="1057">~, !, *, _</code>) to upstream recursive resolvers.</p></li><li data-start="1094" data-end="1209"><p data-start="1097" data-end="1209">Some upstream recursive resolvers <strong data-start="1131" data-end="1151">silently discard</strong> such malformed queries (no NXDomain/ServFail response).</p></li><li data-start="1210" data-end="1326"><p data-start="1213" data-end="1326">Dnsmasq does not validate or detect this situation, and <strong data-start="1269" data-end="1287">waits silently</strong>, creating a large <strong data-start="1306" data-end="1323">attack window</strong>.</p></li><li data-start="1327" data-end="1478"><p data-start="1330" data-end="1478">During this window, attackers can brute-force TxID (16-bit) and source port (16-bit) with a high probability of success (birthday paradox effect).</p></li></ol><h3 data-start="1480" data-end="1499">Security Impact</h3><ul data-start="1500" data-end="1810"><li data-start="1500" data-end="1559"><p data-start="1502" data-end="1559">Attackers can poison any cached domain name in Dnsmasq.</p></li><li data-start="1560" data-end="1634"><p data-start="1562" data-end="1634">Attack is feasible off-path without IP fragmentation or side-channels.</p></li><li data-start="1635" data-end="1737"><p data-start="1637" data-end="1737">This vulnerability also amplifies known cache poisoning attacks such as <strong data-start="1709" data-end="1719">SADDNS</strong> and <strong data-start="1724" data-end="1734">Tudoor</strong>.</p></li><li data-start="1738" data-end="1810"><p data-start="1740" data-end="1810">Undermines DNS security assumptions that resolver silence is benign.</p></li></ul><h3 data-start="1812" data-end="1832">Proof of Concept</h3>
<p data-start="1833" data-end="2044">We tested against a real domain (<code data-start="1866" data-end="1878">viticm.com</code>) and demonstrated that queries containing certain crafted characters lead to <strong data-start="1956" data-end="1976">upstream silence</strong>. This allowed us to reliably poison Dnsmasq caches in all trials.</p>
<h3 data-start="2046" data-end="2070">Suggested Mitigation</h3>
<p data-start="2071" data-end="2093">We recommend adding:</p><ul data-start="2094" data-end="2237"><li data-start="2094" data-end="2157"><p data-start="2096" data-end="2157">Detection mechanisms when upstream resolvers remain silent.</p></li><li data-start="2158" data-end="2237"><p data-start="2160" data-end="2237">Rate limiting and spoof-detection techniques, similar to those in PowerDNS.</p></li></ul><h3 data-start="2239" data-end="2253">References</h3><ul data-start="2254" data-end="2532"><li data-start="2254" data-end="2312"><p data-start="2256" data-end="2312">RFC1034: <a data-start="2265" data-end="2310" rel="noopener" target="_new" href="https://datatracker.ietf.org/doc/html/rfc1034">https://datatracker.ietf.org/doc/html/rfc1034</a></p></li><li data-start="2313" data-end="2371"><p data-start="2315" data-end="2371">RFC2182: <a data-start="2324" data-end="2369" rel="noopener" target="_new" href="https://datatracker.ietf.org/doc/html/rfc2182">https://datatracker.ietf.org/doc/html/rfc2182</a></p></li><li data-start="2372" data-end="2407"><p data-start="2374" data-end="2407">SADDNS: <a data-start="2382" data-end="2405" rel="noopener" target="_new" href="https://www.saddns.net/">https://www.saddns.net/</a></p></li><li data-start="2408" data-end="2439"><p data-start="2410" data-end="2439">Tudoor: <a data-start="2418" data-end="2437" rel="noopener" target="_new" href="https://tudoor.net/">https://tudoor.net/</a></p></li><li data-start="2440" data-end="2532"><p data-start="2442" data-end="2532">PowerDNS Mitigation: <a data-start="2463" data-end="2530" rel="noopener" target="_new" href="https://docs.powerdns.com/recursor/settings.html#spoof-nearmiss-max">https://docs.powerdns.com/recursor/settings.html#spoof-nearmiss-max</a></p></li></ul><p data-start="2534" data-end="2732">We believe this issue requires urgent attention due to the wide deployment of Dnsmasq. Please let us know how we can assist further with coordinated disclosure, additional PoC details, or testing.</p>
<p data-start="2734" data-end="2834">Best regards,<br data-start="2747" data-end="2750">
Fasheng Miao (Tsinghua University)<br data-start="2784" data-end="2787">
Xiang Li (AOSP Laboratory, Nankai University)</p></div>