CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Network Security

Recursive DNS Resolvers Affected by Serious Vulnerability

Recursive Domain Name System (DNS) resolvers are plagued by a vulnerability that can be leveraged to cause them to crash due to resource exhaustion, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) reported on Tuesday.

Recursive Domain Name System (DNS) resolvers are plagued by a vulnerability that can be leveraged to cause them to crash due to resource exhaustion, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) reported on Tuesday.

DNS resolvers process DNS queries with the aid of authoritative servers. If the authoritative server can’t process the request, it returns a referral response pointing to other servers that might be able to carry out the task. The problem is that a malicious authoritative server can cause some resolvers to follow an infinite chain of referrals, which can lead to a denial-of-service (DoS) state.

“A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service,” CERT/CC noted in its advisory. “Resolvers that follow multiple referrals at once can cause large bursts of network traffic.”

The organization also noted that it might be possible to launch a DoS attack against a target using DNS traffic.

The issue, discovered by Florian Maury of the French government information security agency ANSSI, affects at least three resolvers. On Monday, the Internet Systems Consortium (ISC) released security updates to address the vulnerability (CVE-2014-8500) in BIND, the most widely used DNS software on the Internet.

ISC pointed out in its advisory that “authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.”

According to CERT/CC, the flaw also affects NLnet Labs’ Unbound, and PowerDNS Recursor. Products from Nominum, dnsmasq and djbdns are not impacted.

Advertisement. Scroll to continue reading.

CERT/CC has notified several other organizations whose products might be affected, but so far, none of them have confirmed or denied the issue. The list includes Apple, Cisco, F5 Networks, GNU adns, Infoblox, MaraDNS, and Secure 64.

In the case of PowerDNS, the vulnerability has been assigned the CVE identifier CVE-2014-8601. The company says the latest version of PowerDNS Recursor (3.6.2, released in late October) is not affected by the bug because it includes a new feature that limits the amount of work performed to resolve a single query. Users are advised to update to PowerDNS Recursor 3.6.2, but patches for older versions have also been made available.

Unbound users have also been provided with a patch that addresses the flaw (CVE-2014-8602).

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.