SAD DNS cache poisoning attack
Baptiste Jonglez
baptiste at bitsofnetworks.org
Sat Dec 5 14:41:16 EST 2020
On 05-12-20, Alexander 'lynxis' Couzens wrote:
> Hi,
>
> I'm wondering is dnsmasq also vulnerable as forwarder? Or
> only as recursive resolver?
Yes, as forwarder. I don't think dnsmasq implements a real recursive
resolver.
> Did someone tested it? Is there a public poc?
I tested the basic behaviour used by the attack (ICMP errors when hitting
a closed port, nothing when hitting a open port and spoofing the peer
address) and it worked. I did not reproduce the full attack but since we
are not customizing this part of the kernel it should work.
I am not aware of a public PoC. Successful cache poisoning is not
straightforward to pull off because you still have to guess the
transaction ID and you have limited time to do so. But a motivated
attacker can definitely do it, it does not require significant resources.
Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201205/3c81e7c5/attachment.sig>
More information about the openwrt-devel
mailing list