Can you explain this vulnerability to me?

The Hickory DNS hickory-recursor versions 0.1 through 0.25.2 have a vulnerability in their DNS record cache system. The cache stores DNS records based on each record's own name and type rather than the original DNS query that triggered the response. This causes improper handling of DNS response sections, allowing cached data from one DNS zone to be incorrectly associated with another.

Specifically, the cache merges ANSWER, AUTHORITY, and ADDITIONAL sections before insertion and applies a bailiwick filter that uses the zone context of the nameserver pool servicing the lookup, not the actual queried zone. This enables an attacker to poison the cache across zones by inserting malicious NS records for sibling zones, causing the cache to direct queries to attacker-controlled nameservers instead of legitimate ones.

As a result, DNS resolution for victim zones can be hijacked or disrupted, since legitimate nameservers receive no queries. This vulnerability is due to insufficient verification of data authenticity and incorrect resolution of names or references.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to DNS cache poisoning across zones, allowing attackers to redirect DNS queries for victim domains to malicious nameservers they control.

The impact includes potential DNS hijacking, where users trying to reach legitimate services are instead directed to attacker-controlled servers, enabling phishing, data interception, or malware distribution.

Additionally, it can cause denial of service by preventing legitimate nameservers from receiving queries, disrupting normal DNS resolution and service availability.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves identifying if your system is running a vulnerable version of Hickory DNS hickory-recursor (versions 0.1 through 0.25.2) and if DNS cache poisoning is occurring due to improper cache association.

Since the vulnerability arises from the cache_response() function merging DNS response sections improperly, monitoring DNS queries and responses for suspicious or unexpected NS records in the AUTHORITY section that point to attacker-controlled nameservers for sibling zones can help detect exploitation.

Specific commands are not provided in the resources, but general approaches include:

• Checking the version of hickory-recursor running on your system to confirm if it is within the vulnerable range.
• Using DNS query tools (e.g., dig or nslookup) to manually query affected zones and inspect the AUTHORITY section for unexpected NS records.
• Monitoring DNS cache entries or logs for suspicious entries that associate NS records with incorrect zones.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade from the vulnerable hickory-recursor versions (0.1 through 0.25.2) to hickory-resolver version 0.26.0 or later with the recursor feature enabled.

This upgrade addresses the vulnerability by redesigning the caching architecture to key responses by the originating query (name, type), preventing cross-zone cache poisoning.

Until the upgrade can be applied, consider monitoring DNS traffic closely for signs of cache poisoning and restricting access to the DNS recursor to trusted clients to reduce exposure.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0