Netty has Insufficient Bailiwick Validation for NS Records

Vulnerability

Netty's DnsResolveContext.AuthoritativeNameServerList#add method insufficiently validates the bailiwick of NS records. It accepts any NS record from the AUTHORITY section if the record's name is a suffix of the queried name. This vulnerability affects Netty versions <= 4.1.134.Final and >= 4.2.0.Final, <= 4.2.14.Final [3].

Exploitation

An attacker controlling an authoritative name server for a subdomain (e.g., evil.co.uk.) can trick a Netty DNS resolver into accepting an NS record claiming authority over a parent domain (e.g., co.uk.). The handleWithAdditional method then caches associated A records under the parent domain's key, bypassing standard bailiwick rules [3], [4].

Impact

This vulnerability enables DNS Cache Poisoning. An attacker can poison the cache for parent domains, leading to all future resolutions under that domain being directed to attacker-controlled infrastructure. Any application using Netty's DNS resolver is impacted [3], [4].

Mitigation

Netty versions 4.1.135.Final and 4.2.15.Final contain fixes for this vulnerability [1], [2], [3].