Follow

"Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices"

This paper describes a DNS fragmentation attack against CPE forwarders in residential home routers. These kinds of attacks succeed over UDP. TCP based DNS queries (like with DoT or DoH) are not vulnerable.

Or, even better, having a DNSSEC validating resolver in the own network or on the own machine (if possible):

usenix.org/system/files/sec20-

· · Web · 2 · 5 · 3

>> Surprisingly, BIND, Unbound, Knot Resolver and PowerDNS are immune to the attack, because they re-query the CNAME chain and verify the oversized response, even
when configured as DNS forwarders. <<

Show thread
Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!