What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Critical Cache Poisoning Vulnerability in Dnsmasq

T

Toinks

Occasional Visitor
Posting it here as I would like to understand if and how ASUS routers are affected, and if affected is there mitigation.
Please move post as applicable.

from https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2025q3/018288.html
The issue allows attackers to inject arbitrary malicious DNS resource records and poison domain names without requiring advanced techniques, only by leveraging a single special character.

Report Summary
Vulnerability Type: Logic flaw in cache poisoning defense
Affected Software: Dnsmasq (all versions)
Severity: Critical
Exploitability: Off-path attackers can brute-force TxID and source port within an extended attack window
Attack Name:SHAR Attack (Single-character Hijack via ASCII Resolver-silence)
Success Rate: 20/20 successful attack attempts
Average Execution Time: ~9,469 seconds

Key Findings
Dnsmasq forwards queries with special characters (e.g., ~, !, *, _) to upstream recursive resolvers.
Some upstream recursive resolvers silently discard such malformed queries (no NXDomain/ServFail response).
Dnsmasq does not validate or detect this situation, and waits silently, creating a large attack window.
During this window, attackers can brute-force TxID (16-bit) and source port (16-bit) with a high probability of success (birthday paradox effect).

Security Impact
Attackers can poison any cached domain name in Dnsmasq.
Attack is feasible off-path without IP fragmentation or side-channels.
This vulnerability also amplifies known cache poisoning attacks such as SADDNS and Tudoor.
Undermines DNS security assumptions that resolver silence is benign.

Proof of Concept
We tested against a real domain (viticm.com) and demonstrated that queries containing certain crafted characters lead to upstream silence. This allowed us to reliably poison Dnsmasq caches in all trials.

Suggested Mitigation
We recommend adding:
Detection mechanisms when upstream resolvers remain silent.
Rate limiting and spoof-detection techniques, similar to those in PowerDNS.
Click to expand...
 
You must log in or register to reply here.
Similar threads
Thread starter Title Forum Replies Date
Ripshod What's using cache? Asuswrt-Merlin 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 779 (members: 10, guests: 769)
Back
Top