[Dnsmasq-discuss] Sad DNS vulnerability

WU, CHRIS cw1921 at att.com
Sat Dec 12 00:02:33 GMT 2020


Thank you for the information Simon! 

So far I've applied the patch mentioned by the saddns.net website to our Linux kernel:  "Yes, we have worked with the Linux kernel security team and developed a patch that randomizes the ICMP global rate limit to introduce noises to the side channel."

I'm hoping that will be enough but if I experiment with changing the TIMEOUT parameter that you mentioned I will let you know what the results are.

-----Original Message-----
From: Dnsmasq-discuss <dnsmasq-discuss-bounces at thekelleys.org.uk> On Behalf Of Simon Kelley
Sent: Thursday, December 10, 2020 4:54 PM
To: dnsmasq-discuss at thekelleys.org.uk
Subject: Re: [Dnsmasq-discuss] Sad DNS vulnerability

On 08/12/2020 00:51, WU, CHRIS wrote:
> Another easy fix is to set the timeout of DNS queries more aggressively.
> For example, you should set it so that's less than a second. This way 
> the source port will be short-lived and disappear before the attacker 
> can start injecting rogue responses. The downside, however, is the 
> possibility of introducing more retransmitted queries and overall 
> worse performance.
> 
> 

I've not experimented with this, but you could try reducing the value of the TIMEOUT parameter in /src/config.h and recompiling to achieve this.
It's likely to make stuff more fragile.


The only real fix for all of these problems is DNSSEC, but that requires much more if the DNS to actually be signed.



Cheers,

Simon.

 



More information about the Dnsmasq-discuss mailing list