Dear DNSDist Security Team,
We are responsibly disclosing a critical DNS cache poisoning vulnerability in
DNSDist (all versions), which we call the SHAR Attack.
Summary
Type: DNS Cache Poisoning (logic flaw)
Severity: Critical
Impact: Attackers can inject arbitrary malicious DNS records.
Exploit: Only a single crafted character is needed; no fragmentation or
side-channel required.
Results: 20/20 experiments succeeded; average execution time < 1s.
Details
Certain special characters (~, !, *, _) cause upstream resolvers to remain
silent.
DNSDist does not handle this condition and waits silently, allowing attackers
to brute-force TxID + source port.
Predictable source port behavior enables near-instant cache poisoning.
This attack can amplify existing techniques (e.g., SADDNS, Tudoor).
Proof-of-Concept
Validated using a real domain; single crafted character successfully induced
upstream silence and spoofed responses were injected with 100% success.
Recommendation
Improve source port randomization and TxID entropy.
Add spoof-prevention mechanisms.
Detect and mitigate upstream silence anomalies.
We can share the full technical report, PoC steps, and coordinated disclosure
plan. Please advise a secure channel (encrypted email or bug bounty platform)
for further details.
Best regards,
Fasheng Miao (Tsinghua University)
Xiang Li (AOSP Laboratory, Nankai University)
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
