[Dnsmasq-discuss] [Security Report] Critical Cache Poisoning Vulnerability in Dnsmasq

苗发生 mfs24 at mails.tsinghua.edu.cn
Tue Aug 19 12:17:19 UTC 2025 

Dear Dnsmasq Security Team,

We would like to responsibly disclose a critical cache poisoning vulnerability affecting the Dnsmasq DNS software. The issue allows attackers to inject arbitrary malicious DNS resource records and poison domain names without requiring advanced techniques, only by leveraging a single special character.

Report Summary

Vulnerability Type: Logic flaw in cache poisoning defense

Affected Software: Dnsmasq (all versions)

Severity: Critical

Exploitability: Off-path attackers can brute-force TxID and source port within an extended attack window

Attack Name:SHAR Attack (Single-character Hijack via ASCII Resolver-silence)

Success Rate: 20/20 successful attack attempts

Average Execution Time: ~9,469 seconds

Key Findings

Dnsmasq forwards queries with special characters (e.g., ~, !, *, _) to upstream recursive resolvers.

Some upstream recursive resolvers silently discard such malformed queries (no NXDomain/ServFail response).

Dnsmasq does not validate or detect this situation, and waits silently, creating a large attack window.

During this window, attackers can brute-force TxID (16-bit) and source port (16-bit) with a high probability of success (birthday paradox effect).

Security Impact

Attackers can poison any cached domain name in Dnsmasq.

Attack is feasible off-path without IP fragmentation or side-channels.

This vulnerability also amplifies known cache poisoning attacks such as SADDNS and Tudoor.

Undermines DNS security assumptions that resolver silence is benign.

Proof of Concept

We tested against a real domain (viticm.com) and demonstrated that queries containing certain crafted characters lead to upstream silence. This allowed us to reliably poison Dnsmasq caches in all trials.

Suggested Mitigation

We recommend adding:

Detection mechanisms when upstream resolvers remain silent.

Rate limiting and spoof-detection techniques, similar to those in PowerDNS.

References

RFC1034: https://datatracker.ietf.org/doc/html/rfc1034

RFC2182: https://datatracker.ietf.org/doc/html/rfc2182

SADDNS: https://www.saddns.net/

Tudoor: https://tudoor.net/

PowerDNS Mitigation: https://docs.powerdns.com/recursor/settings.html#spoof-nearmiss-max

We believe this issue requires urgent attention due to the wide deployment of Dnsmasq. Please let us know how we can assist further with coordinated disclosure, additional PoC details, or testing.

Best regards,
Fasheng Miao (Tsinghua University)
Xiang Li (AOSP Laboratory, Nankai University)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250819/62972ab0/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Cache Poison_Report_Dnsmasq.pdf
Type: application/pdf
Size: 105040 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20250819/62972ab0/attachment-0001.pdf>

More information about the Dnsmasq-discuss mailing list