When receiving a query, dnsmasq does not check if there is already a pending request for the same name and it forwards a new request for it. By default a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same name. An attacker on the network can abuse this issue to substantially reduce the number of attempts he would have to perform to forge a reply and get it accepted by dnsmasq. This is mentioned in the "Birthday Attacks" section of RFC5452. Upstream patches: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=15b60ddf935a531269bb8c68198de012a4967156 http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=6a6e06fbb0d4690507ceaf2bb6f0d8910f3d4914 CREATE(Triage):(User=admin) [CVE-2020-25686|https://nvd.nist.gov/vuln/detail/CVE-2020-25686]
