DNSpooq Security Vulnerabilities Alert
Vulnerability Detail
- CVE-2020-25681: Heap-based buffer overflow with arbitrary overwrite
- CVE-2020-25682: Heap-based buffer overflow with null bytes
- CVE-2020-25683/7: Heap-based buffer overflow with large memcpy
- CVE-2020-25684: TXID-Port Decoupling
- CVE-2020-25685: Weak frec Identification
- CVE-2020-25686: Multiple outstanding requests for the same name
Affected version
- dnsmsaq: <2.83
Solution
Upgrade dnsmasq to 2.83. Please install and restart dnsmasq in time according to the release package manager.
• Configure dnsmasq not to listen on WAN interfaces if unnecessary in your environment.
• Reduce the maximum queries allowed to be forwarded with the option –dns-forward-max=. The default is 150, but it could be lowered.
• Temporarily disable DNSSEC validation option until you get a patch.
• Use protocols that provide transport security for DNS (such as DoT or DoH). This will mitigate DNSpooq but may have other security and privacy implications. Consider your own setup, security goals, and risks before doing this.
• Reducing the maximum size of EDNS messages will likely mitigate some of the vulnerabilities. This, however, has not been tested and is against the recommendation of the relevant RFC5625.