[dnsdist] Vulnerability Disclosure: Critical Cache Poisoning in DNSDist (SHAR Attack)
Otto Moerbeek
otto.moerbeek at powerdns.com
Wed Aug 20 08:02:34 UTC 2025
Additionally, https://www.rfc-editor.org/rfc/rfc8906.html explicitly states that DNS servers should answer to requests and not drop them (the exceptions to this rule are very few). If anything, this so called attack shows problems in upstream servers, not in dnsdist.
-Otto
> On 20/08/2025 08:57 CEST Otto Moerbeek via dnsdist <dnsdist at mailman.powerdns.com> wrote:
>
>
> 1. This report is not following responsible disclosure in any way as it is sent to a public mailing list. We saw you also sent similar report to other public mailing list. This is very bad practise.
>
> 2. We do not think the report has merit, read https://www.dnsdist.org/guides/downstreams.html#securing-the-path-to-the-backend for the reasons.
>
> Regards,
>
> -Otto
>
> --
>
> kind regards,
> Otto Moerbeek
> Senior Developer PowerDNS
>
>
> Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
> Email: otto.moerbeek at open-xchange.com
>
>
> -------------------------------------------------------------------------------------
> Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
> Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
> Chairman of the Board: Dr. Paul-Josef Patt
>
> PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
> Managing Director: Robert Brandt
> -------------------------------------------------------------------------------------
> _______________________________________________
> dnsdist mailing list
> dnsdist at mailman.powerdns.com
> https://mailman.powerdns.com/mailman/listinfo/dnsdist
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20250820/b323c8a6/attachment.sig>
More information about the dnsdist
mailing list