CVE-2023-26249
📋 TL;DR
Knot Resolver before version 5.6.0 contains a resource consumption vulnerability where a single DNS query can trigger up to 100 TCP connection attempts when a DNS server closes connections without responding. This allows attackers to launch amplification attacks and cause denial of service. Organizations running vulnerable versions of Knot Resolver as DNS resolvers are affected.
💻 Affected Systems
- Knot Resolver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exhaust system resources, causing complete DNS resolution failure and disrupting all dependent services.
Likely Case
Resource exhaustion leading to degraded DNS performance and potential service disruption for legitimate users.
If Mitigated
Limited impact with proper network segmentation and resource limits, though some performance degradation may occur.
🎯 Exploit Status
Exploitation requires only the ability to send DNS queries to the vulnerable resolver. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.6.0
Vendor Advisory: https://www.knot-resolver.cz/2023-01-26-knot-resolver-5.6.0.html
Restart Required: Yes
Instructions:
1. Backup current configuration
2. Stop Knot Resolver service
3. Update to version 5.6.0 or later using package manager
4. Restart Knot Resolver service
5. Verify service is running correctly
🔧 Temporary Workarounds
Limit TCP connection attempts
linuxConfigure Knot Resolver to limit TCP connection attempts per query
# Edit knot-resolver configuration
# Add: net.tcp.connection_attempts_limit = 5
Disable TCP fallback
linuxConfigure to use UDP only where possible
# Edit knot-resolver configuration
# Add: net.tcp.fallback = false
🧯 If You Can't Patch
- Implement network ACLs to restrict DNS queries to trusted sources only
- Deploy rate limiting at network perimeter to limit query volume from single sources
🔍 How to Verify
Check if Vulnerable:
Check Knot Resolver version and compare against 5.6.0Check Version:
kresd --versionVerify Fix Applied:
Confirm version is 5.6.0 or later and test DNS resolution with TCP queries📡 Detection & Monitoring
Log Indicators:
- Unusually high number of TCP connection attempts in logs
- Multiple connection failures to the same upstream server
- Resource exhaustion warnings
Network Indicators:
- Spike in TCP SYN packets from resolver
- Unusual number of DNS queries from single source
- Increased connection attempts to upstream DNS servers
SIEM Query:
source="knot-resolver" AND ("TCP connection" OR "connection attempt") AND count > 100