[dnsdist] Vulnerability Disclosure: Critical Cache Poisoning in DNSDist (SHAR Attack)

[苗发生]

Dear DNSDist Security Team,

We are responsibly disclosing a critical DNS cache poisoning vulnerability in DNSDist (all versions), which we call the SHAR Attack.

Summary

Type: DNS Cache Poisoning (logic flaw)

Severity: Critical

Impact: Attackers can inject arbitrary malicious DNS records.

Exploit: Only a single crafted character is needed; no fragmentation or side-channel required.

Results: 20/20 experiments succeeded; average execution time < 1s.

Details

Certain special characters (~, !, *, _) cause upstream resolvers to remain silent.

DNSDist does not handle this condition and waits silently, allowing attackers to brute-force TxID + source port.

Predictable source port behavior enables near-instant cache poisoning.

This attack can amplify existing techniques (e.g., SADDNS, Tudoor).

Proof-of-Concept

Validated using a real domain; single crafted character successfully induced upstream silence and spoofed responses were injected with 100% success.

Recommendation

Improve source port randomization and TxID entropy.

Add spoof-prevention mechanisms.

Detect and mitigate upstream silence anomalies.

We can share the full technical report, PoC steps, and coordinated disclosure plan. Please advise a secure channel (encrypted email or bug bounty platform) for further details.

Best regards,
Fasheng Miao (Tsinghua University)
Xiang Li (AOSP Laboratory, Nankai University)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250820/69d52eb0/attachment.htm>