Adguardhome: Do not reply to DNS responses

Created on 20 May 2020  Â·  2Comments  Â·  Source: AdguardTeam/AdGuardHome

Nessus network scaner:

Description
The remote DNS server is vulnerable to a denial of service attack because it replies to DNS responses.

An attacker could exploit this vulnerability by spoofing a DNS packet so that it appears to come from 127.0.0.1 and make the remote DNS server enter into an infinite loop, therefore denying service to legitimate users.

Solution
Contact the vendor for an appropriate upgrade.

See Also
http://www.nessus.org/u?a04dcb96

Open VAS (Greenbone)

Summary
Multiple DNS vendors are reported susceptible to a denial of service
vulnerability (Axis Communication, dnrd, Don Moore, Posadis).

Insight
This vulnerability results in vulnerable DNS servers entering into an infinite
query and response message loop, leading to the consumption of network and
CPU resources, and denying DNS service to legitimate users.

Impact
An attacker may exploit this flaw by finding two vulnerable servers and
set up a 'ping-pong' attack between the two hosts.

References
CVE
CVE-2004-0789
BID
11642
Other
https://web.archive.org/web/20041112055702/http://www.uniras.gov.uk/vuls/2004/758884/index.htm

Medium bug
Source
picture AndewlCode
👍3 🚀1

Most helpful comment

Ah, wait, not lol at all!

Replying to DNS responses is a legit issue and we must resolve this.

picture ameshkov on 20 May 2020
👍5 😄1

All 2 comments

The remote DNS server is vulnerable to a denial of service attack because it replies to DNS responses.

Lol :) edit: sorry, my bad, I read "responses" as "requests".

Please read more about DNS amplification here:
https://www.us-cert.gov/ncas/alerts/TA13-088A

If you're running a public DNS resolver with AdGuard Home, here's what you can do:

  1. Set a rate limit (AGH comes with 20rps by default, and IMO, it's enough).
  2. Use DNS access settings in AGH to limit what clients can access the server. Alternatively, examine the query logs from time to time and block unknown clients.
ameshkov picture ameshkov on 20 May 2020
😄2

Ah, wait, not lol at all!

Replying to DNS responses is a legit issue and we must resolve this.

ameshkov picture ameshkov on 20 May 2020
👍5 😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ammnt picture ammnt  Â·  3Comments
xiaofengcod picture xiaofengcod  Â·  3Comments
Iconology picture Iconology  Â·  3Comments
sosp picture sosp  Â·  3Comments
ameshkov picture ameshkov  Â·  3Comments