Hickory DNS hickory-recursor Cross-Zone Poisoning Vulnerability

A cross-zone poisoning vulnerability has been identified in Hickory DNS hickory-recursor versions 0.1 through 0.25.2. The issue arises because the record cache does not associate cached data with the specific query that triggered the response. Instead, records are stored based on their own attributes, allowing for the injection of false information from one zone into another. This can misdirect DNS queries to an attacker's nameserver, bypassing the legitimate one.

Impact

Exploitation of this vulnerability allows for cross-zone DNS poisoning, where cached records from one zone can incorrectly influence responses for another, potentially leading to misdirected DNS queries.

Reproduction

To reproduce this vulnerability, first configure a Hickory DNS resolver with the 'recursor' feature enabled. Then, set up a nameserver under the attacker's control that can respond with authoritative records for a sibling zone. When a query is made that triggers the caching of a response from the attacker's nameserver, the record can be poisoned. Subsequent queries to the affected zone will be routed to the attacker's nameserver instead of the legitimate one, demonstrating the cross-zone poisoning effect.

Remediation

Users should update to Hickory DNS resolver version 0.26.0 or later, with the 'recursor' feature enabled. The 'hickory-recursor' crate will not receive further updates, so all users should migrate to 'hickory-resolver'.