Recursive Domain Name System (DNS) resolvers are plagued by a vulnerability that can be leveraged to cause them to crash due to resource exhaustion, the CERT Coordination Center at Carnegie Mellon University (CERT/CC) reported on Tuesday.
DNS resolvers process DNS queries with the aid of authoritative servers. If the authoritative server can’t process the request, it returns a referral response pointing to other servers that might be able to carry out the task. The problem is that a malicious authoritative server can cause some resolvers to follow an infinite chain of referrals, which can lead to a denial-of-service (DoS) state.
“A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service,” CERT/CC noted in its advisory. “Resolvers that follow multiple referrals at once can cause large bursts of network traffic.”
The organization also noted that it might be possible to launch a DoS attack against a target using DNS traffic.
The issue, discovered by Florian Maury of the French government information security agency ANSSI, affects at least three resolvers. On Monday, the Internet Systems Consortium (ISC) released security updates to address the vulnerability (CVE-2014-8500) in BIND, the most widely used DNS software on the Internet.
ISC pointed out in its advisory that “authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone.”
According to CERT/CC, the flaw also affects NLnet Labs’ Unbound, and PowerDNS Recursor. Products from Nominum, dnsmasq and djbdns are not impacted.
CERT/CC has notified several other organizations whose products might be affected, but so far, none of them have confirmed or denied the issue. The list includes Apple, Cisco, F5 Networks, GNU adns, Infoblox, MaraDNS, and Secure 64.
In the case of PowerDNS, the vulnerability has been assigned the CVE identifier CVE-2014-8601. The company says the latest version of PowerDNS Recursor (3.6.2, released in late October) is not affected by the bug because it includes a new feature that limits the amount of work performed to resolve a single query. Users are advised to update to PowerDNS Recursor 3.6.2, but patches for older versions have also been made available.
Unbound users have also been provided with a patch that addresses the flaw (CVE-2014-8602).