VYPR
← All advisories
Medium severity6.9NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle

CVE-2026-47703

Description

Summary

This report covers the client-triggered DoQ forwarding path in:

  • dnsproxy v0.81.2 (adguard/dnsproxy:v0.81.2)
  • AdGuard Home v0.107.74 (adguard/adguardhome:latest, image version label v0.107.74)

The issue was reproduced on 2026-04-25 with the products configured through their documented DoQ listener and plain UDP upstream surfaces. The scope is the internal backend UDP hop created when a DoQ query is forwarded to a udp:// upstream.

On that path, the backend DNS ID is not preserved as an independent source of entropy. For both products, the backend observer saw dns_id=0 for every sampled client-triggered query on the tested path. Repeated reruns then showed the same txid=0 behavior and the same positive source-port oracle on every sampled run. A separate quoted-port ICMP oracle distinguished the correct backend UDP source port from a wrong one with a stable, client-visible behavior change.

Attached evidence:

Root

Cause Analysis

The observable behavior is consistent across both products:

1. A DoQ client query is accepted on the frontend listener. 2. The query is forwarded over a backend UDP leg. 3. On that backend leg, the forwarded DNS ID collapses to 0 on the client-triggered path instead of remaining a fresh per-query variable. 4. The backend UDP source port is still allocated per query. 5. When an ICMP error quotes the actual backend source port, the forwarding path flips behavior in a way that does not occur for a wrong quoted port.

That combination removes txid from the backend tuple on the tested path and leaves the UDP source port as the main remaining variable. In practical terms, the backend hop stops behaving like a fresh (txid, source-port) pair per forwarded query and instead becomes a one-variable state exposure.

For dnsproxy, the correct quoted port does more than produce a failure signal: it can push resolution away from the primary UDP upstream and into the fallback upstream. For AdGuard Home, the same condition produces a fast SERVFAIL.

Reproduce

Prerequisites:

  • Docker and Docker Compose
  • OpenSSL
  • build the lab helper image used by the attached harness and observer

The attached reproducer bundle contains only the files needed for this report:

- scripts: attachments/scripts/ - helper image build files: attachments/docker/unbound-doq-attacker/ - compose files: attachments/docker-compose.g03.yml, attachments/docker-compose.g04.yml, attachments/docker-compose.g05.yml - shipped evidence: attachments/artifacts/...

Build the helper image first:

  1. cd attachments
  2. docker build -t unbound-doq-attacker:latest -f docker/unbound-doq-attacker/Dockerfile docker/unbound-doq-attacker

To rerun dnsproxy:

1. cd attachments 2. bash scripts/repro-g03-dnsproxy-oracle.sh 3. Inspect artifacts/g03/<RUN_ID>/summary.txt 4. Inspect artifacts/g03/<RUN_ID>/entropy-backend.jsonl, txid_correct-backend.jsonl, and port_correct-backend.jsonl

To rerun the dnsproxy fallback-steering case:

  1. cd attachments
  2. bash scripts/repro-g04-dnsproxy-steering.sh
  3. Inspect artifacts/g04/<RUN_ID>/summary.txt
  4. Inspect steering_correct-main.jsonl and steering_correct-fallback.jsonl

To rerun AdGuard Home:

1. cd attachments 2. bash scripts/repro-g05-adguardhome-oracle.sh 3. Inspect artifacts/g05/<RUN_ID>/summary.txt 4. Inspect entropy-backend.jsonl, txid_correct-backend.jsonl, and port_correct-backend.jsonl

The attached evidence includes fresh dnsproxy v0.81.2 reruns, one official- profile AdGuard Home run, and the minimal reproducer bundle used by both.

Impact

For both products, the tested DoQ-to-UDP path is no longer a full (txid, source-port) search surface:

- dnsproxy: four of four sampled runs showed txid=0 on the backend hop and a positive source-port oracle on v0.81.2. The remaining unknown is port_only. Median wrong/correct port latency was 327.99 ms / 40.93 ms. - AdGuard Home: four of four sampled runs showed txid=0 on the backend hop and a positive source-port oracle. The aggregate again classifies the remaining unknown as port_only. Median wrong/correct port latency was 319.14 ms / 37.02 ms.

Product-specific effects:

- dnsproxy: a correct port guess produced an empty client-visible answer on the base oracle path, and in the fallback profile it steered all eight tested queries away from the main upstream and into the fallback upstream. - AdGuard Home: a correct port guess produced fast SERVFAIL and an extra backend query.

This is the security-relevant point. On the tested official profiles, the backend hop no longer forces an off-path attacker to deal with two fresh random fields per forwarded DNS race. The DNS ID is already known: it is deterministically 0 on the client-triggered DoQ-to-UDP path. The only remaining backend tuple variable is the UDP source port, and the attached evidence shows a repeatable oracle for that remaining variable.

That places the path in the same threat-model class as oracle-assisted DNS forgery work such as SAD DNS and TUdoor: the attack first uses an oracle to learn or validate the tuple state that protects an off-path response race, and only then attempts the forged response. This report stops short of a forgery demo, but the evidence already shows the crucial precondition on the tested backend hop: the tuple is not high-entropy anymore. It has been reduced from (txid, source-port) to source-port only.

---

Attachments attachments.zip

Affected products

1

Patches

1
f00d992ce956

Pull request #430: AGDNS-3952-udp-id

https://github.com/AdguardTeam/dnsproxyAinar GaripovMay 4, 2026via ghsa-ref
commit
15 files changed · +55 40
  • bamboo-specs/bamboo.yaml+1 1 modified
    @@ -13,7 +13,7 @@
     # exact patch version as opposed to a minor one to make sure that this exact
     # version is actually used and not whatever the docker daemon on the CI has
     # cached a few months ago.
-    'dockerGo': 'adguard/go-builder:1.26.1--1'
+    'dockerGo': 'adguard/go-builder:1.26.2--1'
     'maintainer': 'Adguard Go Team'
     'name': 'dnsproxy'
  • docker/ci.Dockerfile+1 1 modified
    @@ -28,7 +28,7 @@
 #    needed.  Keep it in sync with bamboo-specs/bamboo.yaml.
 
 # NOTE:  Keep in sync with bamboo-specs/bamboo.yaml.
-ARG BASE_IMAGE=adguard/go-builder:1.26.1--1
+ARG BASE_IMAGE=adguard/go-builder:1.26.2--1
 
 # The dependencies stage is needed to install packages and tool dependencies.
 # This is also where binaries like osslsigncode, which may be required for tests
  • go.mod+1 1 modified
    @@ -1,6 +1,6 @@
 module github.com/AdguardTeam/dnsproxy
 
-go 1.26.1
+go 1.26.2
 
 require (
 	github.com/AdguardTeam/golibs v0.35.10
  • internal/cmd/proxy.go+2 2 modified
    @@ -526,8 +526,8 @@ func loadServersList(sources []string) []string {
 			servers = append(servers, source)
 		}
 
-		lines := strings.Split(string(data), "\n")
-		for _, line := range lines {
+		// TODO(a.garipov):  Be smarter about bytes vs. strings.
+		for line := range strings.SplitSeq(string(data), "\n") {
 			line = strings.TrimSpace(line)
 
 			// Ignore comments in the file.
  • Makefile+1 1 modified
    @@ -24,7 +24,7 @@ GOAMD64 = v1
 GOPROXY = https://proxy.golang.org|direct
 GOTELEMETRY = off
 OUT = dnsproxy
-GOTOOLCHAIN = go1.26.1
+GOTOOLCHAIN = go1.26.2
 RACE = 0
 REVISION = $${REVISION:-$$(git rev-parse --short HEAD)}
 VERSION = 0
  • proxy/errors.go+0 1 modified
    @@ -1,5 +1,4 @@
 //go:build !plan9
-// +build !plan9
 
 package proxy
  • proxy/errors_internal_test.go+0 1 modified
    @@ -1,5 +1,4 @@
 //go:build !plan9
-// +build !plan9
 
 package proxy
  • proxy/errors_plan9.go+0 1 modified
    @@ -1,5 +1,4 @@
 //go:build plan9
-// +build plan9
 
 package proxy
  • proxy/proxy_internal_test.go+3 6 modified
    @@ -370,10 +370,7 @@ func newTxts(tb testing.TB, txtDataLen int) (txts []string) {
 
 	// *dns.TXT requires splitting the actual data into 256-byte chunks.
 	for i := range txtDataChunkNum {
-		r := txtDataChunkLen * (i + 1)
-		if r > txtDataLen {
-			r = txtDataLen
-		}
+		r := min(txtDataChunkLen*(i+1), txtDataLen)
 		txts[i] = string(randData[txtDataChunkLen*i : r])
 	}
 
@@ -600,8 +597,8 @@ func TestExchangeWithReservedDomains(t *testing.T) {
 		UpstreamConfig: newTestUpstreamConfigWithBoot(
 			t,
 			testTimeout,
-			"[/adguard.com/]1.2.3.4",
-			"[/google.ru/]2.3.4.5",
+			"[/adguard.com/]192.0.2.1",
+			"[/google.ru/]192.0.2.2",
 			"[/maps.google.ru/]#",
 			"1.1.1.1",
 		),
  • proxy/serverquic_internal_test.go+1 4 modified
    @@ -289,10 +289,7 @@ func writeQUICStream(buf []byte, stream *quic.Stream) (err error) {
 	chunkSize := 400
 	for i := 0; i < len(buf); i += chunkSize {
 		chunkStart := i
-		chunkEnd := i + chunkSize
-		if chunkEnd > len(buf) {
-			chunkEnd = len(buf)
-		}
+		chunkEnd := min(i+chunkSize, len(buf))
 
 		_, err = stream.Write(buf[chunkStart:chunkEnd])
 		if err != nil {
  • upstream/doh.go+2 7 modified
    @@ -11,6 +11,7 @@ import (
 	"net/http"
 	"net/url"
 	"runtime"
+	"slices"
 	"sync"
 	"time"
 
@@ -695,13 +696,7 @@ func (p *dnsOverHTTPS) probeTLS(dialContext bootstrap.DialHandler, tlsConfig *tl
 
 // supportsH3 returns true if HTTP/3 is supported by this upstream.
 func (p *dnsOverHTTPS) supportsH3() (ok bool) {
-	for _, v := range p.tlsConf.NextProtos {
-		if v == string(HTTPVersion3) {
-			return true
-		}
-	}
-
-	return false
+	return slices.Contains(p.tlsConf.NextProtos, string(HTTPVersion3))
 }
 
 // supportsHTTP returns true if HTTP/1.1 or HTTP2 is supported by this upstream.
  • upstream/doq.go+1 1 modified
    @@ -285,7 +285,7 @@ func (p *dnsOverQUIC) getBytesPool() (pool *sync.Pool) {
 
 	if p.bytesPool == nil {
 		p.bytesPool = &sync.Pool{
-			New: func() interface{} {
+			New: func() (res any) {
 				b := make([]byte, dns.MaxMsgSize)
 
 				return &b
  • upstream/dot_internal_test.go+2 5 modified
    @@ -66,17 +66,14 @@ func TestUpstream_dnsOverTLS_race(t *testing.T) {
 	// Use this upstream from multiple goroutines in parallel.
 	wg := sync.WaitGroup{}
 	for range count {
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-
+		wg.Go(func() {
 			pt := testutil.PanicT{}
 
 			req := createTestMessage()
 			resp, uErr := u.Exchange(req)
 			require.NoError(pt, uErr)
 			requireResponse(pt, req, resp)
-		}()
+		})
 	}
 
 	wg.Wait()
  • upstream/plain.go+31 7 modified
    @@ -95,11 +95,14 @@ func (p *plainDNS) dialExchange(
 	client := &dns.Client{Timeout: p.timeout}
 
 	conn := &dns.Conn{}
-	if network == networkUDP {
-		conn.UDPSize = dns.MinMsgSize
-	}
+	upstreamReq := setRequestForNetwork(req, conn, network)
+	defer func() {
+		if resp != nil {
+			resp.Id = req.Id
+		}
+	}()
 
-	logBegin(p.logger, addr, network, req)
+	logBegin(p.logger, addr, network, upstreamReq)
 	defer func() { logFinish(p.logger, addr, network, err) }()
 
 	ctx := context.Background()
@@ -109,22 +112,43 @@ func (p *plainDNS) dialExchange(
 	}
 	defer func(c net.Conn) { err = errors.WithDeferred(err, c.Close()) }(conn.Conn)
 
-	resp, _, err = client.ExchangeWithConn(req, conn)
+	resp, _, err = client.ExchangeWithConn(upstreamReq, conn)
 	if isExpectedConnErr(err) {
 		conn.Conn, err = dial(ctx, network, "")
 		if err != nil {
 			return nil, fmt.Errorf("dialing %s over %s again: %w", p.addr.Host, network, err)
 		}
 		defer func(c net.Conn) { err = errors.WithDeferred(err, c.Close()) }(conn.Conn)
 
-		resp, _, err = client.ExchangeWithConn(req, conn)
+		resp, _, err = client.ExchangeWithConn(upstreamReq, conn)
 	}
 
 	if err != nil {
 		return resp, fmt.Errorf("exchanging with %s over %s: %w", addr, network, err)
 	}
 
-	return resp, validatePlainResponse(req, resp)
+	return resp, validatePlainResponse(upstreamReq, resp)
+}
+
+// setRequestForNetwork sets connection options in conn and overrides the
+// upstream request, if necessary, depending on network.  If network is
+// [networkUDP] and orig has a zero ID, req is a copy of orig with a new ID to
+// increase entropy.  network must be either [networkUDP] or [networkTCP].  orig
+// and conn must not be nil.
+func setRequestForNetwork(orig *dns.Msg, conn *dns.Conn, network network) (req *dns.Msg) {
+	req = orig
+	if network != networkUDP {
+		return req
+	}
+
+	conn.UDPSize = dns.MinMsgSize
+
+	if orig.Id == 0 {
+		req = orig.Copy()
+		req.Id = dns.Id()
+	}
+
+	return req
 }
 
 // isExpectedConnErr returns true if the error is expected.  In this case,
  • upstream/upstream.go+9 1 modified
    @@ -337,7 +337,15 @@ func logBegin(l *slog.Logger, addr string, n network, req *dns.Msg) {
 		qname = req.Question[0].Name
 	}
 
-	l.Debug("sending request", "addr", addr, "proto", n, "qtype", qtype, "qname", qname)
+	l.DebugContext(
+		context.TODO(),
+		"sending request",
+		"addr", addr,
+		"proto", n,
+		"qtype", qtype,
+		"qname", qname,
+		"id", req.Id,
+	)
 }
 
 // logFinish logs the end of DNS request resolution.  It should be called right

Vulnerability mechanics

Root cause

"The backend DNS ID is not preserved as a per-query variable when forwarding DoQ queries to UDP, causing it to deterministically become 0."

Attack vector

An attacker can trigger this vulnerability by sending a DNS query over DoQ to the vulnerable server. The server then forwards this query over a UDP connection to an upstream DNS server. The issue lies in the backend UDP hop where the DNS ID is not properly randomized, becoming a fixed value of 0. This reduction in entropy, combined with a source-port oracle, allows an attacker to predict the transaction tuple and potentially forge responses [ref_id=1].

Affected code

The vulnerability is present in the DoQ forwarding path to UDP upstreams. Specifically, the `dialExchange` function in `upstream/plain.go` handles the forwarding of DNS queries over UDP. The `setRequestForNetwork` function, which is called by `dialExchange`, was modified to address this issue by ensuring a unique DNS ID is set for UDP requests when the original ID is zero.

What the fix does

The patch modifies the `setRequestForNetwork` function in `upstream/plain.go` to ensure that when a UDP network is used and the original DNS ID is 0, a new, randomized ID is generated for the outgoing request. This prevents the DNS ID from collapsing to a fixed value of 0 on the backend hop, thereby restoring the necessary entropy to the transaction tuple and mitigating the source-port oracle vulnerability [patch_id=4831400].

Preconditions

  • configThe product must be configured with a DoQ listener and a plain UDP upstream.
  • networkThe attacker must be able to send queries over DoQ to the vulnerable server and observe responses or ICMP errors.

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.