Solved Are you SAD DNS? a.k.a. CVE-2020-25705

[Wallace_n_Gromit]

CVE-2020-25705 https://www.saddns.net/

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

[Discussion starts 1:15:13 into podcast]

SAD DNS Explained

Researchers from UC Riverside and Tsinghua University found a new way to revive a decade-old DNS cache poisoning attack. Read our deep dive into how the SAD DNS attack on DNS resolvers works, how we protect against this attack in 1.1.1.1, and what the future holds for DNS cache poisoning attacks.

blog.cloudflare.com

SAD DNS — New Flaws Re-Enable DNS Cache Poisoning Attacks

Critical flaws re-enabled DNS cache poisoning attack on Linux, Windows, macOS, and FreeBSD.

thehackernews.com

Hardware Archives - TechRepublic

Stay current with the components, peripherals and physical parts that constitute your IT department.

www.techrepublic.com

 

[coxhaus]

I checked QUAD9 and it is showing as not vulnerable.

SAD DNS

 

[XIII]

Not sad; happy that NextDNS fixed this:

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

 

[sfx2000]

pfSense using DNS Resolver (unbound) - seems to be ok...

pfSense disables sending of ICMP port unreachable packets by default...

 

[podkaracz]

Is there a way to prevent this vulnerability without paid dns? From what i can see only nextdns prevents it and rest is vulnerable.

 

[L&LD]

Yes. Read the posts above yours.

 

[RMerlin]

Asuswrt-Merlin has kernel-level mitigation in place on newer models that run Kernel 4.1.

kernel41: icmp: randomize the global rate limiter · RMerl/asuswrt-merlin.ng@ba296b2

Third party firmware for Asus routers (newer codebase) - kernel41: icmp: randomize the global rate limiter · RMerl/asuswrt-merlin.ng@ba296b2

github.com