{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/hickory-recursor/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["hickory-recursor","hickory-resolver"],"_cs_severities":["medium"],"_cs_tags":["dns","cache-poisoning","zone-delegation"],"_cs_type":"advisory","_cs_vendors":["Palo Alto Networks","Hickory DNS"],"content_html":"\u003cp\u003eThe Hickory DNS project\u0026rsquo;s experimental \u003ccode\u003ehickory-recursor\u003c/code\u003e crate, now integrated into \u003ccode\u003ehickory-resolver\u003c/code\u003e under the \u003ccode\u003erecursor\u003c/code\u003e feature, contains a vulnerability in its DNS record cache (\u003ccode\u003eDnsLru\u003c/code\u003e). The cache stores records based on the record\u0026rsquo;s name and type, rather than the originating query. This design flaw allows for cross-zone cache poisoning because the \u003ccode\u003ecache_response()\u003c/code\u003e function chains \u003ccode\u003eANSWER\u003c/code\u003e, \u003ccode\u003eAUTHORITY\u003c/code\u003e, and \u003ccode\u003eADDITIONAL\u003c/code\u003e sections into a single record iterator during insertion. The bailiwick filter uses the zone context of the NS pool that serviced the lookup, leading to improper validation of records from sibling zones. This issue affects all published versions of the experimental \u003ccode\u003ehickory-recursor\u003c/code\u003e crate prior to its integration into \u003ccode\u003ehickory-resolver\u003c/code\u003e 0.26.0. Users of the \u003ccode\u003ehickory-dns\u003c/code\u003e binary configured with the \u003ccode\u003erecursor\u003c/code\u003e feature are affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker registers the domain \u003ccode\u003eattacker.poc.\u003c/code\u003e and sets up a malicious nameserver.\u003c/li\u003e\n\u003cli\u003eHickory DNS server queries the nameserver for \u003ccode\u003eattacker.poc.\u003c/code\u003e to build its NS pool.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s nameserver responds with an \u003ccode\u003eAUTHORITY\u003c/code\u003e section that includes a malicious record delegating a sibling zone, such as \u003ccode\u003evictim.poc.\u003c/code\u003e, to \u003ccode\u003ens.evil.poc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Hickory DNS server\u0026rsquo;s bailiwick check incorrectly validates the malicious \u003ccode\u003evictim.poc. NS ns.evil.poc.\u003c/code\u003e record because \u003ccode\u003evictim.poc.\u003c/code\u003e is a subdomain of the parent zone \u003ccode\u003epoc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious NS record for \u003ccode\u003evictim.poc.\u003c/code\u003e is stored in the cache, keyed by \u003ccode\u003e(victim.poc., NS)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA client queries the Hickory DNS server for a name within the \u003ccode\u003evictim.poc.\u003c/code\u003e zone.\u003c/li\u003e\n\u003cli\u003eHickory DNS server builds its NS pool for \u003ccode\u003evictim.poc.\u003c/code\u003e using the poisoned cache entry, directing queries to \u003ccode\u003ens.evil.poc.\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s nameserver now receives queries intended for the legitimate \u003ccode\u003evictim.poc.\u003c/code\u003e nameserver, allowing the attacker to intercept and manipulate DNS resolution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to redirect DNS queries for a target domain to an attacker-controlled nameserver. This can lead to various malicious activities, including phishing attacks, man-in-the-middle attacks, and the distribution of malware. The vulnerability affects any system using Hickory DNS with the \u003ccode\u003erecursor\u003c/code\u003e feature enabled, potentially impacting a wide range of users relying on the resolver for DNS resolution. If the targeted domain is critical for service delivery (e.g., email, web), the impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ehickory-resolver\u003c/code\u003e version 0.26.0 or later with the \u003ccode\u003erecursor\u003c/code\u003e feature enabled to address the vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-83hf-93m4-rgwq\"\u003ehttps://github.com/advisories/GHSA-83hf-93m4-rgwq\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, disable the \u003ccode\u003erecursor\u003c/code\u003e feature in \u003ccode\u003ehickory-dns\u003c/code\u003e to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unexpected NS record changes, focusing on \u003ccode\u003eAUTHORITY\u003c/code\u003e sections of DNS responses, using a custom rule based on your environment and typical DNS configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T18:10:58Z","date_published":"2026-04-30T18:10:58Z","id":"/briefs/2024-11-hickory-dns-poisoning/","summary":"The experimental `hickory-recursor` crate in Hickory DNS is vulnerable to cross-zone cache poisoning due to storing DNS records keyed by record name/type instead of query, enabling an attacker to redirect queries for a victim zone to an attacker-controlled nameserver.","title":"Hickory DNS Recursor Cache Poisoning via Sibling Zone Delegation","url":"https://feed.craftedsignal.io/briefs/2024-11-hickory-dns-poisoning/"}],"language":"en","title":"CraftedSignal Threat Feed — Hickory-Recursor","version":"https://jsonfeed.org/version/1.1"}