DNSpooq vulnerabilities and Gargoyle
Posted: Mon Jan 25, 2021 10:52 pm
7 vulnerabilities have been disclosed regarding dnsmasq (the part of Gargoyle which provides DNS and DHCP services). Collectively these are known as DNSpooq.
The vulnerability likely affects all Gargoyle versions, with 2 of the vulnerabilities having real impact, and the remaining 5 only for users who do custom configurations to use DNSSEC features.
At this point in time, OpenWrt have not decided to backport the fixes to the 18.06 branch. This is the branch that Gargoyle 1.12.x is based on. Therefore, 1.12.x (and earlier) will not receive an update to fix this issue. It is recommended that you follow the Mitigation section below for these versions.
For 1.13.x (unreleased) or any builds based on the latest master branch of Gargoyle, a patch has been pulled in as of 26/01/2021. It is recommended that you upgrade to a new version when it becomes available, or build a new one yourself. If this is not something you are comfortable with, you can also follow the Mitigation section below.
Mitigation
If you cannot upgrade to a later version of dnsmasq, you can mitigate the vulnerability by performing the following commands:
Mitigation for DNS cache poisoning is disabling of caching:
Mitigation for DNSSEC vulnerability is disabling of DNSSEC feature:
It's recommended to reduce the maximum of queries allowed to be forwarded (default is 150):
Then you should commit changes and restart dnsmasq:
The vulnerability likely affects all Gargoyle versions, with 2 of the vulnerabilities having real impact, and the remaining 5 only for users who do custom configurations to use DNSSEC features.
At this point in time, OpenWrt have not decided to backport the fixes to the 18.06 branch. This is the branch that Gargoyle 1.12.x is based on. Therefore, 1.12.x (and earlier) will not receive an update to fix this issue. It is recommended that you follow the Mitigation section below for these versions.
For 1.13.x (unreleased) or any builds based on the latest master branch of Gargoyle, a patch has been pulled in as of 26/01/2021. It is recommended that you upgrade to a new version when it becomes available, or build a new one yourself. If this is not something you are comfortable with, you can also follow the Mitigation section below.
Mitigation
If you cannot upgrade to a later version of dnsmasq, you can mitigate the vulnerability by performing the following commands:
Mitigation for DNS cache poisoning is disabling of caching:
Code: Select all
uci set dhcp.@dnsmasq[0].cachesize='0'
Code: Select all
uci set dhcp.@dnsmasq[0].dnssec='0'
Code: Select all
uci set dhcp.@dnsmasq[0].dnsforwardmax='50'
Code: Select all
uci commit dhcp && /etc/init.d/dnsmasq restart