CVE-2021-3448

A flaw was found in dnsmasq. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. This flaw makes a DNS Cache Poisoning attack much easier. The highest threat from this vulnerability is to data integrity.

Mitigation

The flaw can be prevented by removing --server=<address>@<interface> option or by removing the directive server=<address>@<interface>. If dnsmasq is being run through NetworkManager, please be aware that NetworkManager automatically configures dnsmasq to use the server=<address>@<interface> directive, thus in this case the only way to prevent the flaw is to remove dns=dnsmasq from /etc/NetworkManager/NetworkManager.conf file.

If the server=<address>@<interface> must be kept active, the impact of this flaw can be reduced by disabling the dnsmasq cache by adding --cache-size=0 when calling dnsmasq or by adding a line with cache-size=0 to the dnsmasq configuration file (/etc/dnsmasq.conf by default). If dnsmasq is being run through NetworkManager, create a new file in /etc/NetworkManager/dnsmasq.d/ and add cache-size=0 to it.

By disabling the cache, you may experience a performance loss in your environment due to all DNS queries being forwarded to the upstream servers. Please evaluate if the mitigation is appropriate for the system’s environment before applying.