Summary Netty's "DnsResolveContext" insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an authoritative name server for a subdomain can poison the cache for parent domains (like ".co.uk"). Details In "io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#add" method accepts any NS record from the AUTHORITY section as long as the record's name is a suffix of the questionName. This means if the resolver queries evil.co.uk., it will accept an NS record claiming authority over co.uk.. Subsequently, the "handleWithAdditional" method caches the associated A records from the ADDITIONAL section directly into the "authoritativeDnsServerCache" under the parent domain's key (co.uk.). This bypasses standard bailiwick rules, where a server authoritative for a subdomain should not be trusted to provide authoritative records for its parent. The poisoned cache is then used for all future resolutions under co.uk.. The "io.netty.resolver.dns.DnsResolveContext.AuthoritativeNameServerList#cache" method only prevents caching if the record is for the root zone (dots == 1). Impact DNS Cache Poisoning. Any application using Netty's DNS resolver is impacted.