AdGuardHome DNS cache poison of DNSSEC?

DNS cache poison of DNSSEC?

Open PeterDaveHello opened this issue 3 years ago • 0 comments

trafficstars

Prerequisites

[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

Docker

Setup

On one machine

AdGuard Home version

v0.107.12

Description

What did you do?

Use dig to query sigfail.verteiltesysteme.net with and without +cd flag(to set the CD (checking disabled) bit in the query) to ask or not ask the resolver to bypass the DNSSEC check

Expected result

Without +cd flag, we shouldn't receive the IP address but only SERVFAIL

Actual result

Once we used +cd flag to query the record, the result was successful and cached, but the following query to the same record without +cd flag will also get the same result.

Additional information

/opt/adguardhome/work $ dig +short sigfail.verteiltesysteme.net @127.0.0.1
/opt/adguardhome/work $ dig +cd +short sigfail.verteiltesysteme.net @127.0.0.1
134.91.78.139
/opt/adguardhome/work $ dig +short sigfail.verteiltesysteme.net @127.0.0.1
134.91.78.139

Sep 22 '22 10:09 PeterDaveHello

AdGuardHome AdGuardHome copied to clipboard

DNS cache poison of DNSSEC?

Prerequisites

Operating system type

CPU architecture

Installation

Setup

AdGuard Home version

Description

What did you do?

Expected result

Actual result

Additional information

AdGuardHome
AdGuardHome copied to clipboard

DNS cache poison of DNSSEC?