A tale of a DNS exploit: CVE-2015-7547

A buffer overflow error in GNU libc DNS stub resolver code was announced as CVE-2015-7547. This vulnerability affects any platform with recent GNU libc, including servers and personal computers. The only effective mitigation is patching the system. Limiting UDP response size to 2048 bytes or less does not work and may force legitimate queries to retry over TCP. Running a local caching DNS resolver can improve internet performance and prevent past and possibly future security vulnerabilities, but it's not sufficient to defuse this attack. An off-path attack scenario is also possible through a caching DNS resolver. The key factor to a real world non-MitM cache resolver attack is controlling the messages between the resolver and the client indirectly.