Cyber security focus – dnsmasq vulnerabilities (20th Jan, 2021)

Preface: On August 27, 2015 Cisco announced it has completed the acquisition of OpenDNS (now branded as Cisco Umbrella). Perhaps they predict that this day will come.

Background: dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server,
router advertisement and network boot features, intended for small computer networks. Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.

Vulnerability details: Dnsmasq is vulnerable to memory corruption and cache poisoning. For more details, please see the follow links: https://kb.cert.org/vuls/id/434904

Workarounds:

  • Configure dnsmasqnot to listen on WAN interfaces
  • Reduce the maximum queries (–dns-forward-max=). The default is 150.
  • Do a patching
  • Use protocols that provide transport security for DNS (DoT or DoH)
  • Reducing the maximum size of EDNS message (Recommendations related to RFC5625)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.