SAD DNS cache poisoning attack

Baptiste Jonglez baptiste at bitsofnetworks.org
Sat Dec 5 14:41:16 EST 2020


On 05-12-20, Alexander 'lynxis' Couzens wrote:
> Hi,
> 
> I'm wondering is dnsmasq also vulnerable as forwarder? Or
> only as recursive resolver?

Yes, as forwarder.  I don't think dnsmasq implements a real recursive
resolver.

> Did someone tested it? Is there a public poc?

I tested the basic behaviour used by the attack (ICMP errors when hitting
a closed port, nothing when hitting a open port and spoofing the peer
address) and it worked.  I did not reproduce the full attack but since we
are not customizing this part of the kernel it should work.

I am not aware of a public PoC.  Successful cache poisoning is not
straightforward to pull off because you still have to guess the
transaction ID and you have limited time to do so.  But a motivated
attacker can definitely do it, it does not require significant resources.

Baptiste
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20201205/3c81e7c5/attachment.sig>


More information about the openwrt-devel mailing list