[Dnsmasq-discuss] CVE-2020-25705 mitigation (SAD DNS)
Petr Menšík
pemensik at redhat.com
Wed Dec 9 10:38:46 GMT 2020
I doubt limiting to 1221 can fix virtually anything. I doubt it would
fix anything even on Windows. I am sure it would not prevent any attack
on dnsmasq.
I think the best mitigation would be blocking any external IP addresses
to dnsmasq, only those configured as forwarder in dnsmasq should be allowed.
DNSSEC validation would prevent any cache poisoning for signed domains.
It is always good to enable it. I think strict firewalling to upstream
resolver should help on trusted networks, where both dnsmasq and its
upstream are in a trusted network.
If queries run over untrusted networks, I would suggest dnssec
validation. And patching the kernel with SAD DNS fix. I doubt anything
better can be done in that case.
On 12/9/20 2:02 AM, Jim Alles wrote:
> ref:
> https://thehackernews.com/2020/11/sad-dns-new-flaws-re-enable-dns-cache.html
>
> Is it appropriate to clamp edns to 1221 as suggested by the
> Microsoft Guidance here?
> https://www.bleepingcomputer.com/news/security/microsoft-issues-guidance-for-dns-cache-poisoning-vulnerability/
>
> # now clamped for CVE-2020-25705 mitigation SAD DNS
> edns-packet-max=1221
>
> Or would this not even help?
> (I think my best effort has been enabling DNSSEC in dnsmasq.)
>
> Thank you for any advice, and
> best regards,
> Jim Alles
>
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Type: application/pgp-keys
Size: 9364 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20201209/38681395/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20201209/38681395/attachment.sig>
More information about the Dnsmasq-discuss
mailing list