back to article Dnsmasq, used in only a million or more internet-facing devices globally, patches not-so-secret seven spoofing, hijacking flaws

Seven vulnerabilities have been found in a popular DNS caching proxy and DHCP server known as dnsmasq, raising the possibility of widespread online attacks on networking devices. The flaws, collectively dubbed DNSpooq, were revealed on Tuesday by Israel-based security firm JSOF at the conclusion of a five-month coordinated …

  1. stiine Silver badge

    "There are defenses for these kinds of DNS spoofing attacks, such as using HTTPS and SSH."

    Not exactly. Using https with hsts headers enabled will but only for users who've already been to your site, but https out-of-the-box won't. SSH will only catch it if you aren't ignoring mismatched host keys.

  2. RM Myers

    "...researchers aren't sure how or when affected vendors will respond"

    Given past history for updating old Android phones and old routers, the when in many cases will probably be never. This is really ugly, even my old NAS box which no longer is getting updates is affected. I don't open it to the internet, but I suspect many do.

    1. A.P. Veening Silver badge

      Re: "...researchers aren't sure how or when affected vendors will respond"

      On the other hand, Pi-Hole is already updated.

      1. regadpellagru

        Re: "...researchers aren't sure how or when affected vendors will respond"

        "On the other hand, Pi-Hole is already updated."

        Same with openwrt. Just updated :)

    2. Anonymous Coward
      Anonymous Coward

      Re: "...researchers aren't sure how or when affected vendors will respond"

      Android doesn't use dnsmasq. It uses its own caching resolver code. This has always been the case.

      1. Anonymous Coward
        Anonymous Coward

        Re: "...researchers aren't sure how or when affected vendors will respond"

        You might want to tell JSOF, the people who disclosed the bug. You might also tell Google, since two of their employees were thanked for "Disclosure coordination and vulnerability communication" by JSOF

        1. This post has been deleted by its author

  3. brotherelf

    We see the Golden Stream decision is having an effect.

    "Red Hat […] and major Linux distributions." Bwahahaha.

  4. tip pc Silver badge

    yet another reminder for me to fix my dockered Pi-Holes

    Long story but my home setup needs 2 Pi-Holes

    DNS does this Pi-Hole -> Clear OS -> Pi-Hole -> DoH proxy

    My Pi-Holes run in docker with another container that keeps everything up to date.

    Every time there is a new Pi-Hole they get updated and lose their config, meaning i lose internet as Pi-Hole defaults to google dns.

    once they are updated i can apply the config and reload the Pi-Holes while retaining the config.

    Normally i think i'll sort that tomorrow and a few months later get a reminder.

    I've had at least 3 reminders since Christmas!!

    1. A.P. Veening Silver badge

      Re: yet another reminder for me to fix my dockered Pi-Holes

      Do the configuration in the command with which you install Pi-Hole, or use Docker-compose. My Pi-Holes get updated automatically as well, but I don't have any problems.

  5. bombastic bob Silver badge

    this makes a case for using 'bind'

    I've never had a problem setting up nor using bind to serve up any kind of serious DNS stuff, like a local LAN or a private domain name.

    The only thing I've ever used dnsmasq for was a simple DNS+DHCP solution for a user to configure networking on a standalone embedded device via a phone or PC with a wifi connection. And since dnsmasq allows you to specify a single hard-coded name to connect to, you could set up the embedded device so that you press "the button" on the device for "config mode", use a phone to access it via wifi, then go to the web page "http://admin" (or whatever) and get a web page to configure it with, and have dnsmasq also provide the DHCP address for the connected device, etc.. Simple stuff like that seems to make sense with dnsmasq, and you have to press the right buttons on the device to make it go into config mode like that [after which the device would have its wifi client set up and would go off and connect through the LAN and use the LAN's DNS and DHCP, etc. and not its own]. So dnsmasq is never facing a public internet with this particular use.

    Trying to use something like dnsmasq to do anything MORE than "what I described" might be the actual problem...

    (for my own network I've been using bind and the isc DHCP server for both IPv4 and IPv6, no observed problems, and the bind server also handles DNS for a domain I own, and I've been doing this for almost 2 decades, though a bit less for the IPv6 part)

  6. Anonymous Coward
    Anonymous Coward

    Libvirt uses dnsmasq

    I don't really know what the implications of that are. I just woke up. It is just that nobody mentioned libvirt yet.

  7. DS999 Silver badge

    This is not really that big of a deal

    I'll bet almost no one uses dnsmasq on "internet facing devices". They use it for internal DNS, like the DNS caching server running on my DD-WRT router. The only way anyone can utilize these holes is if they are already inside the network being served by dnsmasq. You're already screwed at that point anyway, as even if dnsmasq is patched there are always holes in Windows, Linux, and the ever growing plague of IoT devices they can utilize.

  8. DaemonProcess


    I always hated dnsmasq. Many distros sadly liked it because of it's ready-for-systemd packaging. Stick with named.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like