Ndị ọkachamara sitere na ụlọ nyocha nyocha JSOF kọrọ adịghị ike ọhụrụ asaa na sava DNS/DHCP dnsmasq. Ihe nkesa dnsmasq na-ewu ewu ma na-eji ya na ndabara n'ọtụtụ nkesa Linux, yana akụrụngwa netwọk sitere na Cisco, Ubiquiti na ndị ọzọ. Ọdịmma Dnspooq gụnyere nsị cache DNS yana mkpochapụ koodu dịpụrụ adịpụ. Edoziri adịghị ike ndị ahụ na dnsmasq 2.83.
N'afọ 2008, onye nyocha nchekwa ama ama bụ Dan Kaminsky chọpụtara ma kpughee ntụpọ dị mkpa na sistemụ DNS ịntanetị. Kaminsky gosipụtara na ndị na-awakpo nwere ike imebi adreesị ngalaba wee zuo data. Nke a bụ kemgbe a maara dị ka "Kaminsky Attack".
A na-ahụta DNS dị ka ụkpụrụ na-enweghị nchebe ruo ọtụtụ iri afọ, n'agbanyeghị na ọ kwesịrị ịkwado ọkwa ụfọdụ nke iguzosi ike n'ezi ihe. Ọ bụ n'ihi nke a ka a ka na-adabere na ya. N'otu oge ahụ, e mepụtara usoro iji melite nchekwa nke protocol DNS mbụ. Usoro ndị a gụnyere HTTPS, HSTS, DNSSEC na atụmatụ ndị ọzọ. Agbanyeghị, ọbụlagodi na usoro ndị a niile dị, njide DNS ka bụ ọgụ dị egwu na 2021. Ọtụtụ n'ime ịntanetị ka na-adabere na DNS n'otu aka ahụ ọ mere na 2008, ọ na-enwekwa ike ịnweta ụdị mwakpo ahụ.
DNSpooq cache adịghị ike:
CVE-2020-25686, CVE-2020-25684, CVE-2020-25685. Ihe ọghọm ndị a yiri mwakpo SAD DNS nke ndị nyocha sitere na Mahadum California na Mahadum Tsinghua kọrọ na nso nso a. SAD DNS na DNSpooq adịghị ike nwekwara ike jikọta iji mee ka mwakpo dị mfe. A kọwokwa mwakpo ndị ọzọ nwere nsonaazụ edoghị anya site na mbọ njikọta nke mahadum (Poison Over Troubled Forwarders, wdg).
Ihe ọghọm na-arụ ọrụ site na ibelata entropy. N'ihi iji hash na-adịghị ike iji chọpụta arịrịọ DNS na nkwekọ ezighi ezi nke arịrịọ ahụ na nzaghachi, entropy nwere ike belata nke ukwuu na naanị ~ 19 bits kwesịrị ịkọ nkọ, na-eme ka nsị cache kwe omume. Ụzọ dnsmasq usoro CNAME ndekọ na-enye ya ohere spoof a yinye nke CNAME ndekọ na irè nsi ruo 9 DNS ndia n'otu oge.
Ọdịmma na-ebufe oke: CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681. All 4 kwuru vulnerabilities bụ ugbu na koodu na DNSSEC mmejuputa iwu na-egosi naanị mgbe ịlele via DNSSEC na-enyere na ntọala.
isi: linux.org.ru