DNSpooq allows attackers to poison DNS cache records

DNSpooq allows attackers to poison DNS cache records

Network administrators have requested that they use the latest Dnsmasq updates to prevent new DNSpooq attacks.

Security experts today revealed details about seven vulnerabilities affecting the most popular DNS software package in networking equipment, such as routers and access points.

Weaknesses followed as DNSpooq, impact on Dnsmasq, DNS transfer client for NIX applications.

Dnsmasq is often embedded in the firmware of various communication devices to enable DNS transmission by downloading DNS requests made by local users, transferring the application to a high-end DNS server, and storing the results upon arrival, making the same results easily accessible to other clients. without needing to create a new DNS query at the top.

While their role seems to be financially and insignificant, they play an important role in accelerating internet speed by avoiding duplication of traffic.

Today, DNSpooq software has accessed millions of devices sold worldwide, such as Cisco devices, Android smartphones, and all types of network gears such as routers, access points, firewalls, and VPNs from companies such as Aruba, Redhat, Technicolor, Ubiquiti, and others.


The vulnerability of DNSpooq, disclosed today by security experts from JSOF, is dangerous because it can be compromised by DNS embedded DNS servers recorded by Dnsmasq servers.

Poisoning DNS records cache is a major problem for network administrators because it allows attackers to redirect users to clones of official websites.

DNSpooq allows attackers to poison DNS cache records

For example, if a threatening character can abuse DNSpooq attacks by poisoning Dmail’s GNS-based DNS on the company’s Cisco router, they can redirect all company employees to the Gmail criminal page while the browser shows the official gmail.com address in their browsers.

In total, seven DNSpooq risks have been identified today. Four overflow buffers on Dnsmasq code could lead to remote coding conditions, while the other three bugs allow DNS cache poisoning.

Personally, the risks from each one are limited, but researchers say they can be combined to attack any device with older versions of Dnsmasq software.

Attacks can be easily made about Dnsmasq installs that are displayed directly online, but the JSOF team warns that devices on internal networks are also at risk of attackers transmit attack code through browsers or other (hosted) devices to the same network.

The attack may sound daunting, but in an interview with ZDNet on Monday, Shlomi Oberman, chief executive officer of JSOF, said the opposite was true.

“The vulnerability of DNSspooq cache poisoning is not difficult to remove and is a kind of weakness, in our opinion, that can be easily exploited and exploited by bottles, malvertisers, phishers, and that happy group,” Oberman said.

“The biggest challenge for someone who uses this is the high risk that they have a lot of noise so they will be seen by ISPs and other companies that are very visible on the internet,” said a JSOF official.

Oberman added that the attack also requires sending multiple DNS packets to the target device, which also takes a lot of time, and also requires the attackers to have access to adequate attack infrastructure.

However, these are not bizarre requirements, and the JSOF executor believes that DNSpooq attacks have reached both cybercriminal and national (APT) criminal gangs alike.

An easy way to prevent any of these attacks would be to use security updates that will be released later today by the Dnsmasq project.

However, many of these Dnsmasq DNS referral clients are embedded within the firmware of other products, where end-users cannot access and upgrade a single library.

Oberman, whose previous company also acquired, disclosed and helped cover the risks of the Ripple20 reaching far, taking the same approach this time around.

A JSOF manager told his company he had worked with Dnsmasq project authors and industry partners to make sure patches were available to devise dealers with today’s public disclosure.

“The disclosure process involves the creation of a designated safety and engineering team representing Cisco, Google, Red-Hat, Pi-Hole, CERT / CC, Simon Kelley (Dnsmasq maintainer), and JSOF,” Oberman said.

“The team was looking at how to document the risk, and how to contact it, and also suggested several different patches. Now there are patches available under the ban, both as a new version and as background dots,” he added.

CERT / CC and ICS-CERT also helped coordinate the exposure of DNSpooq attacks to other non-group vendors. While some retailers may be late in packing patches, many retailers are currently notified of the seven risks and their need to keep posting patches on all affected products.


But for end-users, deciding which vendor to send patches for DNSpooq may be an impossibility, even for those with advanced technical skills.

Chasing CVE identifiers with seven DNSpooq threats to firmware changelogs devices is complicated even for security professionals and software engineers, not to mention the middle Joe.

Oberman says these users can protect themselves from dangerous DNSpooq devices on their network by using two methods.

“The best performance would be to use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT),” Oberman said.

“Another option would be to statically configure a trusted DNS server, like Cloudflare or Google DNS servers, so that DNS requests are not handled by the home router and go directly to the [remote] DNS server.


DNSpooq is a series of vulnerabilities found in open-source software dnsmasq, indicating that DNS is still unsafe.

Some DNSpooq vulnerabilities allow DNS cache poisoning and other DNSpooq vulnerabilities may permit a potential Remote Code execution that could allow a takeover of many brands of home routers and other networking equipment, with millions of affected devices, and exposed to the Internet.

Leave a Reply

Your email address will not be published.