Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 13 Aug 2022 16:58:57 -0700
From: "Philipp Jeitner (SIT)" <>
To: <>
Subject: Multiple DNS Cache poisoning vulnerabilities in dnrd DNS forwarder
 (CVE-2022-33993, CVE-2022-33992)

We hereby disclose the discovery of multiple DNS Cache poisoning 
vulnerabilities in the dnrd DNS forwarder. dnrd is a caching DNS 
forwarder/proxy which is unmaintained since about 2007, yet it is still 
used in some residential router firmwares. Because the project is 
unmaintained, there are no patches available for the described issues.

Our findings are published in our 2022 paper "XDRI Attacks - and - How 
to Enhance Resilience of Residential Routers" in August 2022.


Philipp Jeitner, Lucas Teichmann and Haya Shulman
Fraunhofer SIT


  - dnrd:
  - paper website:
  - paper presentation:

CVE-2022-33993: Misinterpretation of special characters in domain names 
leading to cache-poisoning

Misinterpretation of special domain name characters in dnrd leads to 
cache-poisoning as domain names and their associated IP addresses are 
cached in their misinterpreted form.

## Summary

Attacker can poison the DNS cache of the vulnerable router/forwarder by 
triggering queries to attacker controlled domain names whose queries 
and/or answers contain special characters (zero-byte or period sign). 
These characters are misinterpreted by the vulnerable router/forwarder 
so that the attacker can provide addresses for domain names he does not own.

## Impact

Attackers who control a script or web-site which is loaded on a client 
of the vulnerable router/forwarder can hijack connections by poisoning 
the DNS cache.

## Steps to reproduce

To reproduce, connect a computer to the router and follow the Steps at or use our downloadable test-tool at (NOT the online test).

## Detailed description and publication timeline

A detailed description of this attack is included in our 2021 USENIX 
security paper "Injection Attacks Reloaded: Tunnelling Malicious 
Payloads over DNS", see Section 3.2. We conducted further research and 
found that these attacks apply to various router models.

CVE-2022-33992: Disabling of DNSSEC protection provided by upstream 

dnrd forwards and caches DNS queries with checking disabled (CD) bit set 
to 1 which leads to disabling of DNSSEC protection provided by upstream 

## Summary

The router/forwarder forwards DNS queries with the checking disabled 
(CD) bit set to 1 to upstream resolvers and caches the responses 
provided by the upstream resolver. The cached answers are then sent to 
other clients even when they do set the checking disabled (CD) bit to 0.

## Impact

Attackers which can send DNS queries directly to the vulnerable 
router/forwarder can disable DNSSEC protection on the upstream resolver 
by sending queries with the checking disabled (CD) bit set to 1. When 
the attacker is able to inject DNS responses via another method (e.g. 
MitM attacks, BGP hijacking), this allows attacker to hijack connections 
from clients of the vulnerable router/forwarder, as DNSSEC protection is 
not guaranteed anymore.

## Steps to reproduce

Connect a computer to the vulnerable router/forwarder and trigger the 
following DNS queries via `dig`:

     $ dig +cdflag @router/forwarder-ip
     (should always return

     $ dig +short @router/forwarder-ip
     (returns if vulnerable, should return nothing)

Note: you can replace `` with any other 
domain with broken DNSSEC, such as ``, only the 
addresses will be different.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.