CVE-2021-3448: 
NixOS vulnerability analysis and mitigation

A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. This vulnerability (CVE-2021-3448) was discovered in March 2021 and affects the DNS caching and forwarding functionality of dnsmasq (NVD, Red Hat).

The vulnerability occurs when dnsmasq is configured with --server=@ or similar (e.g., through dbus), which causes it to use a fixed UDP port for all outgoing queries to the specified upstream DNS server. The CVSS v3.1 base score is 4.0 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N (NVD).

The vulnerability makes DNS Cache Poisoning attacks much easier to execute. If exploited, an attacker who can discover the fixed outgoing port only needs to guess the random transmission ID to forge a reply and get it accepted by dnsmasq. The highest threat from this vulnerability is to data integrity (Red Hat).

The vulnerability can be mitigated by removing the --server=@ option or the server=@ directive. For systems using NetworkManager, remove dns=dnsmasq from /etc/NetworkManager/NetworkManager.conf. If the server directive must be kept, the impact can be reduced by disabling the dnsmasq cache using --cache-size=0 or adding cache-size=0 to the configuration file. The permanent fix is to upgrade to dnsmasq version 2.85 or later (Red Hat).