<style class="ke-style">
[list-style-type] {padding-left:20px;list-style-position:inside}
[list-style-type] li {margin:0}
[list-style-type] li:before, span.ke-list-item-matter {font-family:"sans serif",tahoma,verdana,helvetica}
[list-style-type] li p,[list-style-type] li h1,[list-style-type] li h2,[list-style-type] li h3,[list-style-type] li h4,[list-style-type] li h5,[list-style-type] li div,[list-style-type] li blockquote{display:inline;word-break:break-all}
[list-style-type] li table {display:inline-block;vertical-align:top}
p{margin:0}
td {word-break: break-word}
.default-font-1755620550273{
font-size:14px;
}
</style><div class="default-font-1755620550273" dir="ltr"><p data-start="142" data-end="171">Dear DNSDist Security Team,</p>
<p data-start="173" data-end="311">We are responsibly disclosing a critical DNS cache poisoning vulnerability in DNSDist (all versions), which we call the <strong data-start="293" data-end="308">SHAR Attack</strong>.</p>
<p data-start="313" data-end="326"><strong data-start="313" data-end="324">Summary</strong></p><ul data-start="327" data-end="648"><li data-start="327" data-end="373"><p data-start="329" data-end="373"><strong data-start="329" data-end="338">Type:</strong> DNS Cache Poisoning (logic flaw)</p></li><li data-start="374" data-end="400"><p data-start="376" data-end="400"><strong data-start="376" data-end="389">Severity:</strong> Critical</p></li><li data-start="401" data-end="470"><p data-start="403" data-end="470"><strong data-start="403" data-end="414">Impact:</strong> Attackers can inject arbitrary malicious DNS records.</p></li><li data-start="471" data-end="573"><p data-start="473" data-end="573"><strong data-start="473" data-end="485">Exploit:</strong> Only a single crafted character is needed; no fragmentation or side-channel required.</p></li><li data-start="574" data-end="648"><p data-start="576" data-end="648"><strong data-start="576" data-end="588">Results:</strong> 20/20 experiments succeeded; average execution time < 1s.</p></li></ul><p data-start="650" data-end="663"><strong data-start="650" data-end="661">Details</strong></p><ul data-start="664" data-end="1014"><li data-start="664" data-end="750"><p data-start="666" data-end="750">Certain special characters (~, !, *, _) cause upstream resolvers to remain silent.</p></li><li data-start="751" data-end="867"><p data-start="753" data-end="867">DNSDist does not handle this condition and waits silently, allowing attackers to brute-force TxID + source port.</p></li><li data-start="868" data-end="942"><p data-start="870" data-end="942">Predictable source port behavior enables near-instant cache poisoning.</p></li><li data-start="943" data-end="1014"><p data-start="945" data-end="1014">This attack can amplify existing techniques (e.g., SADDNS, Tudoor).</p></li></ul><p data-start="1016" data-end="1038"><strong data-start="1016" data-end="1036">Proof-of-Concept</strong></p><ul data-start="1039" data-end="1191"><li data-start="1039" data-end="1191"><p data-start="1041" data-end="1191">Validated using a real domain; single crafted character successfully induced upstream silence and spoofed responses were injected with 100% success.</p></li></ul><p data-start="1193" data-end="1213"><strong data-start="1193" data-end="1211">Recommendation</strong></p><ul data-start="1214" data-end="1358"><li data-start="1214" data-end="1269"><p data-start="1216" data-end="1269">Improve source port randomization and TxID entropy.</p></li><li data-start="1270" data-end="1306"><p data-start="1272" data-end="1306">Add spoof-prevention mechanisms.</p></li><li data-start="1307" data-end="1358"><p data-start="1309" data-end="1358">Detect and mitigate upstream silence anomalies.</p></li></ul><p data-start="1360" data-end="1538">We can share the full technical report, PoC steps, and coordinated disclosure plan. Please advise a secure channel (encrypted email or bug bounty platform) for further details.</p>
<p data-start="1540" data-end="1640">Best regards,<br data-start="1553" data-end="1556">
Fasheng Miao (Tsinghua University)<br data-start="1590" data-end="1593">
Xiang Li (AOSP Laboratory, Nankai University)</p></div>