Critical Cache Poisoning Vulnerability in Dnsmasq

Summary

[Dnsmasq-discuss] [Security Report] Critical Cache Poisoning Vulnerability in Dnsmasq 苗发生 mfs24 at mails.tsinghua.edu.cn Tue Aug 19 12:17:19 UTC 2025 Dear Dnsmasq Security Team, We would like to responsibly disclose a critical cache poisoning vulnerability affecting the Dnsmasq DNS software. The issue allows attackers to inject arbitrary malicious DNS resource records and poison domain names without requiring advanced techniques, only by leveraging a single special character. Report Summary Vulnerability Type: Logic flaw in cache poisoning defense Affected Software: Dnsmasq (all versions) Severity: Critical Exploitability: Off-path attackers can brute-force TxID and source port within an extended attack window Attack Name:SHAR Attack (Single-character Hijack via ASCII Resolver-silence) Success Rate: 20/20 successful attack attempts Average Execution Time: ~9,469 seconds Key Findings Dnsmasq forwards queries with special characters (e.g., ~, !, *, _) to upstream recursive resolvers. Some upstream recursive resolvers silently discard such malformed queries (no NXDomain/ServFail response). Dnsmasq does not validate or detect this situation, and waits silently, creating a large attack window. During this window, attackers can brute-force TxID (16-bit) and source port (16-bit) with a high probability of success (birthday paradox effect). Security Impact Attackers can poison any cached domain name in Dnsmasq. Attack is feasible off-path without IP fragmentation or side-channels. This vulnerability also amplifies known cache poisoning attacks such as SADDNS and Tudoor. Undermines DNS security assumptions that resolver silence is benign. Proof of Concept We tested against a real domain (viticm.com) and demonstrated that queries containing certain crafted characters lead to upstream silence. This allowed us to reliably poison Dnsmasq caches in all trials. Suggested Mitigation We recommend adding: Detection mechanisms when upstream resolvers remain silent. Rate limiting and s...