Major Recursive Resolvers Emergency Merge DNS Query Entropy Patch
Patch fixes DNS cache snooping vulnerability; operators issue 72-hour deployment deadline.
Open source community announcement: Three widely-deployed recursive DNS implementations released emergency patches today, fixing a vulnerability dubbed "Entropy Bleed."
Vulnerability Mechanism
The vulnerability exploits insufficient DNS query entropy. Attackers can infer previously queried domains from recursive resolver cache response times:
- Attacker sends numerous queries to recursive resolver
- By measuring response time differences, infer whether specific domains are cached
- Combined with WHOIS data and historical queries, can reconstruct user browsing behavior
Affected scope includes all DNS traffic in enterprise networks, VPNs, and IoT devices.
Patch Contents
Core fixes in this update:
- Enhanced Query ID randomness: expanded from 16-bit to 32-bit entropy
- Enhanced port randomization: multiple checks to prevent response validation bypass
- Minimum TTL下限: authorities advised to enable minimum TTL not lower than 300 seconds
Deployment Requirements
Major operators have issued internal notices requiring:
- Recursive resolver patches deployed within 72 hours
- Enterprise users upgrade via auto-update channels
- DNSSEC verification enabled by default
Operators failing to deploy within the deadline will face regulatory inquiries.
Security Recommendations
Security researchers recommend users, before patch deployment:
- Enable DNS over HTTPS (DoH) or DNS over TLS (DoT)
- Avoid sensitive operations on public Wi-Fi
- Follow carrier update announcements
本文为虚构内容,仅供娱乐。
Disclaimer
This article is demo content on the site, consistent with the notice at the top: it may be fictional or synthetic. Do not use it as a basis for real decisions. Do not cite it as factual reporting.