CVE-2022-34294

An attacker who controls a script or web page loaded on a client behind the vulnerable totd forwarder can trigger DNS queries from that client [ref_id=1]. Because totd uses a fixed UDP source port (port 1024) for all upstream queries, the attacker can inject spoofed DNS responses that appear to come from the upstream resolver, since the only entropy an attacker must guess is the DNS transaction ID [ref_id=1]. This enables classic Kaminsky-style DNS cache poisoning against the upstream resolver's cache [ref_id=1].

The advisory does not specify exact function or file paths. The vulnerability exists in the totd DNS forwarder (version 1.5.3), where the upstream query logic uses a hard-coded UDP source port (port 1024 in tests) for all queries sent to DNS resolvers [ref_id=1].

No patch is available for totd 1.5.3, as the project is no longer maintained [ref_id=1]. The advisory recommends that users replace totd with an alternative DNS forwarder that randomizes the UDP source port per query, thereby increasing entropy and preventing traffic injection attacks [ref_id=1].

Connect a computer to the vulnerable router/forwarder and trigger multiple DNS queries. Observe the queries sent to upstream resolvers via packet capture, either on the router's Internet-facing interface or the upstream resolver's network interface. The queries captured on these interfaces have the same UDP source port (port 1024 in tests) [ref_id=1].