Opened 6 years ago

Closed 6 years ago

#803 closed incident (worksforme)

Kwetsbaarheid gevonden in Delegation Handeling in BIND, PowerDNS en Unbound

Reported by: mbreet Owned by:
Keywords: security Cc:
Location: Generiek


Via security bulletin. WL gebruikt toch ook Unbound?


Doordat het aantal recursive queries in resolvers van BIND,
PowerDNS en Unbound niet gelimiteerd worden, is het mogelijk dat
met een speciale setup de resolvers in een oneindige loop terecht
kunnen komen.


De resources op de resolvers zullen door de oneindige loop
langzamerhand volraken waardoor de resolver niet meer antwoord op
queries. Dit met een Denial of Service (DoS) tot gevolg.


By making use of maliciously-constructed zones or a rogue server,
an attacker can exploit an oversight in the code BIND 9 uses to
follow delegations in the Domain Name Service, causing BIND to
issue unlimited queries in an attempt to follow the delegation.
This can lead to resource exhaustion and denial of service (up to
and including termination of the named server process.)
Versions affected: 9.0.x -> 9.8.x, 9.9.0 -> 9.9.6, 9.10.0 -> 9.10.1


This problem can be triggered by sending queries for specifically
configured domains.
Affects: PowerDNS Recursor versions 3.6.1 and earlier


The resolver can be tricked into following an endless series of
delegations, this consumes a lot of resources. A patch is
available that limits the number of fetches performed for a query.
Affects: Ubound 1.50 and earlier

Oplossing / Work-around

KPN-CERT raadt aan om resolvers zo snel mogelijk te updaten naar de
laatste versie.


BIND 9 version 9.9.6-P1
BIND 9 version 9.10.1-P1


PowerDNS Recursor 3.6.2


The proper fix is a patch, which is available:

A very simple workaround is to ignore the problem and let existing
anti-DoS systems in unbound deal with the issue. It will consume a
lot of resources, but other customers will (most likely) continue
to get service.


Change History (1)

comment:1 Changed 6 years ago by mbreet

Resolution: worksforme
Status: newclosed
Note: See TracTickets for help on using tickets.