Don't you hate it when your cache gets poisoned? No more — in this update, we have fixed the vulnerability that was making AdGuard DNS Client susceptible to cache poisoning attacks.
A special thanks to Xiang Li for reporting the vulnerability, our community moderators team, as well as to everyone who filed and inspected issues and helped us test this release!
See also the v0.0.4 GitHub milestone.
Security
-
Any simultaneous requests that are considered duplicates will now only result in a single request to upstreams, reducing the chance of a cache poisoning attack succeeding. This is controlled by the new configuration object
dns.server.pending_requests, which has a singleenabledproperty, set totrueby default.NOTE: We thank Xiang Li for reporting this security issue. It's strongly recommended to leave it enabled, otherwise AdGuardDNS Client will be vulnerable to untrusted clients.
-
Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in Go 1.24.2.
Changed
Configuration changes
In this release, the schema version has changed from 2 to 3.
-
The new object
pending_requestshas been added to thedns.serverobject.# BEFORE: dns: server: # … # … # … schema_version: 2 # AFTER: dns: server: pending_requests: enabled: true # … # … # … schema_version: 3
To rollback this change, remove the dns.server.pending_requests object and set the schema_version to 2.