Hi Simon, On Aug 20, 2025, at 5:10 AM, Simon Kelley <[email protected]> wrote: > You missed a trick in your description of the attack: as described the attack > only allows records with "illegal" characters to be inserted into the cache. > The attack can be extended to inserting arbitrary records by leveraging CNAME > records in the replies. > > How do you infiltrate the vulnerable queries? This is normally done via web > pages or similar, but it's not clear to me that that route works with the > illegal characters.
As I suspect you know, there are no “illegal” characters in the DNS — DNS qnames are length encoded 8-bit clean. There are characters that you’re not supposed to use in “host names” according to RFCs 1123/2181, but that shouldn’t impact the resolution path. No resolver I know of does anything weird (e.g., drop the query) when it sees non-ASCII. The “illegal” character behavior part appears to simply be the result of a cache miss in the upstream resolver. Regards, -drc _______________________________________________ Dnsmasq-discuss mailing list [email protected] https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
