Earlier this week, researchers from UC Riverside and Tsinghua University announced a new type of DNS cache poisoning attack named SAD DNS. The attack is very sophisticated and hard to reproduce on real life systems. We deployed at mitigation on all NextDNS servers to fully protect our users against such attack, one would succeed to run it.
The mitigation consists of disabling the sending of ICMP port unreachable packets on unicast IPs facing authoritative DNS servers. This change does not affect user-facing anycast IPs, is totally transparent and effectively blocks this type of attack.