[Dnsmasq-discuss] Sad DNS vulnerability
Simon Kelley
simon at thekelleys.org.uk
Thu Dec 10 21:54:27 GMT 2020
On 08/12/2020 00:51, WU, CHRIS wrote:
> Hello. I read this story on ZDnet about a DNS cache poisoning
> vulnerability and it mentions dnsmasq as one of the affected applications.
>
>
>
> https://www.zdnet.com/article/dns-cache-poisoning-poised-for-a-comeback-sad-dns/
>
>
>
> Is there anything that you suggest to limit the exposure to this
> vulnerability? The article suggests these two steps:
>
>
>
> The simplest mitigation, though, is to disallow outgoing ICMP replies
> altogether. This comes at the potential cost of losing some network
> troubleshooting and diagnostic features.
>
That makes most sense, as far as I can see.
>
>
> Another easy fix is to set the timeout of DNS queries more aggressively.
> For example, you should set it so that's less than a second. This way
> the source port will be short-lived and disappear before the attacker
> can start injecting rogue responses. The downside, however, is the
> possibility of introducing more retransmitted queries and overall worse
> performance.
>
>
I've not experimented with this, but you could try reducing the value of
the TIMEOUT parameter in /src/config.h and recompiling to achieve this.
It's likely to make stuff more fragile.
The only real fix for all of these problems is DNSSEC, but that requires
much more if the DNS to actually be signed.
Cheers,
Simon.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list