On 05-12-20, Alexander 'lynxis' Couzens wrote: > Hi, > > I'm wondering is dnsmasq also vulnerable as forwarder? Or > only as recursive resolver?
Yes, as forwarder. I don't think dnsmasq implements a real recursive resolver. > Did someone tested it? Is there a public poc? I tested the basic behaviour used by the attack (ICMP errors when hitting a closed port, nothing when hitting a open port and spoofing the peer address) and it worked. I did not reproduce the full attack but since we are not customizing this part of the kernel it should work. I am not aware of a public PoC. Successful cache poisoning is not straightforward to pull off because you still have to guess the transaction ID and you have limited time to do so. But a motivated attacker can definitely do it, it does not require significant resources. Baptiste
signature.asc
Description: PGP signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
