Glibc exploits? ...dnsmasq "could" help.

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
Post Reply

Glibc exploits? ...dnsmasq "could" help.

Post#1 by fullmoonremix » 06 Jul 2016, 09:14

- ... d-to-know/

Our suggested mitigation is to limit the response (i.e., via Dnsmasq or similar programs)
- ... ulnerable/

Meanwhile, Glibc maintainers provided the following additional mitigation details:

Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries (avoids buffer management error) e.g.
Do not use AF_UNSPEC.
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows
responses larger than 512 bytes and can lead to valid DNS responses
that overflow.
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both
lead to valid large EDNS0-based DNS responses that can overflow.

Mitigating factors for TCP include:
- Limit all replies to 1024 bytes.
An alternative like Musl "could" also help.
One Linux-based package that's not vulnerable is Google's Android mobile operating system. It uses a glibc substitute known as Bionic and isn't susceptible, a company representative said.
(see also... )


Preface... :(
A Contingency plan is a plan devised for an outcome other than in the usual (expected) plan.

Posted by via
This is added while posting a message to avoid misusing the service

User avatar
Posts: 478
Joined: 21 Apr 2017, 15:59
Distribution: fullmoonremix

Glibc exploits? ...dnsmasq "could" help.

Post#2 by n0ctilucient » 17 Nov 2017, 16:50

BIND can also be used to mitigate glibc compromises.

If using DNSSEC a "trust anchor" is required...
:hmmm: I do NOT have the "right" to tell anyone what they should do...
but I reserve the "right" to tell them what they should "consider".

Post Reply