Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Recursive DNS Resolvers Affected by Serious Vulnerability

Recursive Domain Name System (DNS) resolvers are plagued by a vulnerability that can be leveraged to cause them to crash due to resource exhaustion, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) reported on Tuesday.

Recursive Domain Name System (DNS) resolvers are plagued by a vulnerability that can be leveraged to cause them to crash due to resource exhaustion, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) reported on Tuesday.

DNS resolvers process DNS queries with the aid of authoritative servers. If the authoritative server can’t process the request, it returns a referral response pointing to other servers that might be able to carry out the task. The problem is that a malicious authoritative server can cause some resolvers to follow an infinite chain of referrals, which can lead to a denial-of-service (DoS) state.

“A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service,” CERT/CC noted in its advisory. “Resolvers that follow multiple referrals at once can cause large bursts of network traffic.”

The organization also noted that it might be possible to launch a DoS attack against a target using DNS traffic.

The issue, discovered by Florian Maury of the French government information security agency ANSSI, affects at least three resolvers. On Monday, the Internet Systems Consortium (ISC) released security updates to address the vulnerability (CVE-2014-8500) in BIND, the most widely used DNS software on the Internet.

ISC pointed out in its advisory that “authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.”

According to CERT/CC, the flaw also affects NLnet Labs’ Unbound, and PowerDNS Recursor. Products from Nominum, dnsmasq and djbdns are not impacted.


CERT/CC has notified several other organizations whose products might be affected, but so far, none of them have confirmed or denied the issue. The list includes Apple, Cisco, F5 Networks, GNU adns, Infoblox, MaraDNS, and Secure 64.

In the case of PowerDNS, the vulnerability has been assigned the CVE identifier CVE-2014-8601. The company says the latest version of PowerDNS Recursor (3.6.2, released in late October) is not affected by the bug because it includes a new feature that limits the amount of work performed to resolve a single query. Users are advised to update to PowerDNS Recursor 3.6.2, but patches for older versions have also been made available.

Unbound users have also been provided with a patch that addresses the flaw (CVE-2014-8602).

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.