[Dnsmasq-discuss] [Security Report] Critical Cache Poisoning Vulnerability in Dnsmasq
David Conrad
david.conrad at layer9.tech
Wed Aug 20 16:58:02 UTC 2025
Hi Simon,
On Aug 20, 2025, at 5:10 AM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> You missed a trick in your description of the attack: as described the attack only allows records with "illegal" characters to be inserted into the cache. The attack can be extended to inserting arbitrary records by leveraging CNAME records in the replies.
>
> How do you infiltrate the vulnerable queries? This is normally done via web pages or similar, but it's not clear to me that that route works with the illegal characters.
As I suspect you know, there are no “illegal” characters in the DNS — DNS qnames are length encoded 8-bit clean. There are characters that you’re not supposed to use in “host names” according to RFCs 1123/2181, but that shouldn’t impact the resolution path. No resolver I know of does anything weird (e.g., drop the query) when it sees non-ASCII. The “illegal” character behavior part appears to simply be the result of a cache miss in the upstream resolver.
Regards,
-drc
More information about the Dnsmasq-discuss
mailing list