DNS Vulnerabilities
The information on this page may be obsolete. For the current documentation, please log into the mySAINT portal using your customer login and password. Updated 10/23/25Impact
This document covers several BIND vulnerabilities that malicious users can exploit to gain unauthorized, privileged access to target machines, disrupt service on target machines, or launch DNS spoofing attacks.Background
The Berkeley Internet Name Daemon (BIND) is an implementation of the Domain Name Service (DNS) written primarily for UNIX Systems. BIND consists of three parts:
- Client: This part contains subroutine libraries used by programs that require DNS services. Example clients of these libraries are telnet, the X Windows System and ssh (the secure shell). The client part consists of subroutine libraries, header files, and manual pages.
- Server: This part contains the name server daemon (named) and its support program (named-xfer). These programs provide one source of the data used for mapping between host names and IP addresses. When appropriately configured, these name server daemons can interoperate across a network (the Internet for example) to provide the mapping services for that network. The server part consists of the daemon, its support programs and scripts, and manual pages.
- Tools: This part contains various tools for interrogating name servers in a network. They use the client part to extract information from those servers. The tools part consists of interrogation tools and manual pages.
- Non-recursive or Authoritative: This type of DNS server usually acts as the Start of Authority (SOA) for one or more domains. Normally it only answers queries inside the governed domains and would not query other DNS servers.
- Recursive: This type of DNS server responds to queries about any domain. If it cannot resolve the request based on its own records, it queries other servers and passes the response back to the query's originator.
The Problems
10/23/25
CVE 2025-40778
CVE 2025-40780
CVE 2025-8677
The October 2025 security update for BIND addressed three vulnerabilities including Cache poisoning attacks due to weak PRNG and with unsolicited Resource Records, and Resource exhaustion via malformed DNSKEY handling.
07/16/25
CVE 2025-40776
CVE 2025-40777
The July 2025 security update for BIND fixed two vulnerabilities. First, A 'named' caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack. Second, If a 'named' caching resolver is configured with 'serve-stale-enable' 'yes', and with 'stale-answer-client-timeout' set to '0' (the only allowable value other than 'disabled'), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure.
05/21/25
CVE 2025-40775
When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.8 and 9.21.0 through 9.21.7.
01/29/25
CVE 2024-11187
CVE 2024-12705
BIND 9.18.33, 9.18.33-S1, 9.20.5, and 9.21.4 fixed two vulnerabilities. First, an attacker could send queries that will generate responses containing numerous records in the Additional section. This can cause either the authoritative server itself or an independent resolver to use disproportionate resources processing the queries. Second, Clients using DNS-over-HTTPS (DoH) can exhaust a DNS resolver's CPU and/or memory by flooding it with crafted valid or invalid HTTP/2 traffic. Both of these vulnerabilities could result in a denial of service condition.
07/24/24
CVE 2024-0760
CVE 2024-1737
CVE 2024-1975
CVE 2024-4076
BIND 9.18.28, 9.20.0, and 9.18.28-S1 fixed four vulnerabilities:
-
A flood of DNS messages over TCP may make the server unstable.
BIND's database will be slow if a very large number of RRs exist at the same name.
SIG(0) can be used to exhaust CPU resources.
Assertion failure when serving both stale cache data and authoritative zone content.
02/13/24
CVE 2023-4408
CVE 2023-50387
CVE 2023-50868
CVE 2023-5517
CVE 2023-5679
CVE 2023-5680
CVE 2023-6516
BIND 9.16.48, 9.18.24, 9.19.21, 9.16.48-S1, and 9.18.24-S1 fixed six vulnerabilities:
-
Parsing large DNS messages may cause excessive CPU load.
Querying RFC 1918 reverse zones may cause an assertion failure when "nxdomain-redirect" is enabled.
Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution.
Specific recursive query patterns may lead to an out-of-memory condition.
KeyTrap Extreme CPU consumption in DNSSEC validator.
Cleaning an ECS-enabled cache may cause excessive CPU load.
Preparing an NSEC3 closest encloser proof can exhaust CPU resources.
09/20/23
CVE 2023-3341
CVE 2023-4236
BIND 9.16.44, 9.18.19, 9.19.17, 9.16.44-S1, and 9.18.19-S1 fixed a stack exhaustion flaw in control channel code in named.
BIND 9.18.19 and 9.18.19-S1 fixed a denial of service vulnerability in named due to a flaw in the networking code handling DNS-over-TLS queries.
06/21/23
CVE 2023-2828
CVE 2023-2829
CVE 2023-2911
BIND Security Update for June 2023 addressed three vulnerabilities:
-
named's configured cache size limit can be significantly exceeded.
Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled.
Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0.
01/26/23
CVE 2022-3094
CVE 2022-3488
CVE 2022-3736
CVE 2022-3924
BIND Security Update for January 2023 addressed multiple vulnerabilities:
-
An UPDATE message flood may cause named to exhaust all available memory.
named configured to answer from stale cache may terminate unexpectedly while processing RRSIG queries or at recursive-clients soft quota.
BIND Supported Preview Edition named may terminate unexpectedly when processing ECS options in repeated responses to iterative queries.
09/21/22
CVE 2022-2795
CVE 2022-2881
CVE 2022-2906
CVE 2022-3080
CVE 2022-38177
CVE 2022-38178
BIND Security Update for September 2022 addressed multiple vulnerabilities:
-
Processing large delegations may severely degrade resolver performance.
Buffer overread in statistics channel code.
Memory leaks in key processing when using TKEY records in Diffie-Hellman mode with OpenSSL 3.0.0 and later versions.
BIND 9 resolvers configured to answer from stale cache with zero stale-answer-client-timeout may terminate unexpectedly.
Memory leaks in ECDSA and EdDSA DNSSEC verification code.
05/19/22
CVE 2022-1183
BIND 9.18.0 through 9.18.2 and 9.19.0 are affected by a denial of service vulnerability when DNS over HTTPS is enabled. The named daemon, in some circumstances, may terminate with an assertion failure if a TLS connection is destroyed too early.
03/17/22
CVE 2021-25220
CVE 2022-0396
CVE 2022-0635
CVE 2022-0667
BIND Security Update for March 16, 2022 addressed multiple vulnerabilities:
-
DNS forwarders cache could become poisoned with incorrect records leading to queries being made to the wrong servers, which might also result in false information being returned to clients.
Specifically crafted TCP streams can cause connections to BIND to remain in CLOSE_WAIT status for an indefinite period of time, even after the client has terminated the connection.
Repeated patterns of specific queries to servers with synth-from-dnssec enabled could cause an INSIST failure in query.c:query_dname which causes named to terminate unexpectedly.
Assertion failure on delayed DS lookup.
11/01/21
CVE 2021-25219
In BIND 9.3.0 through 9.11.35, 9.12.0 through 9.16.21, and versions 9.9.3-S1 through 9.11.35-S1 and 9.16.8-S1 through 9.16.21-S1 of BIND Supported Preview Edition, as well as release versions 9.17.0 through 9.17.18 of the BIND 9.17 development branch, exploitation of broken authoritative servers using a flaw in response processing can cause degradation in BIND resolver performance.
The way the lame cache is currently designed makes it possible for its internal data structures to grow almost infinitely, which may cause significant delays in client query processing.
08/18/21
CVE 2021-25218
In BIND 9 releases 9.16.19, 9.17.16, and 9.16.19-S1, if "named" attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active, an assertion failure is triggered.
04/29/21
CVE 2021-25214
CVE 2021-25215
CVE 2021-25216
The BIND Security Update for April 2021 addressed two assertion failures and one buffer overflow vulnerabilities.
03/12/21
CVE 2006-0987
The default configuration of ISC BIND before 9.4.1-P1, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.
02/18/21
CVE 2020-8625
BIND servers are vulnerable if they are running an affected version and are configured to use GSS-TSIG features.
In a configuration which uses BIND's default settings the vulnerable code path is not exposed, but a server can be rendered vulnerable by explicitly setting valid values for the tkey-gssapi-keytab or tkey-gssapi-credentialconfiguration options.
Although the default configuration is not vulnerable, GSS-TSIG is frequently used in networks where BIND is integrated with Samba, as well as in mixed-server environments that combine BIND servers with Active Directory domain controllers.
The most likely outcome of a successful exploitation of the vulnerability is a crash of the named process.
However, remote code execution, while unproven, is theoretically possible.
08/21/20
CVE 2020-8620
CVE 2020-8621
CVE 2020-8622
CVE 2020-8623
CVE 2020-8624
The BIND Security Update for August addressed multiple vulnerabilities:
- A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c.
- Attempting QNAME minimization after forwarding can lead to an assertion failure in resolver.c.
- A truncated TSIG response can lead to an assertion failure.
- A flaw in native PKCS#11 code can lead to a remotely triggerable assertion failure in pk11.c.
- Update-policy rules of type "subdomain" are enforced incorrectly.
06/18/20
CVE 2020-8618
CVE 2020-8619
BIND Security Update for June 200 addressed two vulnerabilities.
First, an attacker who is permitted to send zone data to a server via zone transfer can exploit this to intentionally trigger the assertion failure with a specially constructed zone, denying service to clients.
Second, an asterisk character in an empty non-terminal can cause an assertion failure.
A would-be attacker who is allowed to change zone content could theoretically introduce such a record in order to exploit this condition to cause denial of service, though we consider the use of this vector unlikely because any such attack would require a significant privilege level and be easily traceable.
05/19/20
CVE 2020-8616
CVE 2020-8617
BIND Security Update for May 2020 addressed two vulnerabilities.
First, BIND does not sufficiently limit the number of fetches performed when processing referrals.
The attacker can exploit this behavior to use the recursing server as a reflector in a reflection attack with a high amplification factor or can potentially degrade the performance of the recursing server.
Second, a logic error in code which checks TSIG validity can be used to trigger an assertion failure in tsig.c.
11/21/19
CVE 2019-6477
BIND prior to 9.11.13, 9.14 and prior to 9.14.8, 9.15 and prior to 9.15.6 are vulnerable to denial of service attack.
On a server with TCP-pipelining capability, it is possible for one TCP client to send a large number of DNS requests over a single connection.
Each outstanding query will be handled internally as an independent client request, thus bypassing the new TCP clients limit.
With pipelining enabled each incoming query on a TCP connection requires a similar resource allocation to a query received via UDP or via TCP without pipelining enabled. A client using a TCP-pipelined connection to a server could consume more resources than the server has been provisioned to handle.
When a TCP connection with a large number of pipelined queries is closed, the load on the server releasing these multiple resources can cause it to become unresponsive, even for queries that can be answered authoritatively or from cache.
10/16/19
CVE 2019-6475
CVE 2019-6476
BIND 9.14 prior to 9.14.7 and BIND 9.15 prior to 9.15.5 are prone to two vulnerabilities.
First, a flaw in mirror zone validity checking can allow zone data to be spoofed.
Second, an error in QNAME minimization code can cause BIND to exit with an assertion failure.
06/20/19
CVE 2019-6471
A race condition which may occur when discarding malformed packets can result in BIND exiting due to a REQUIRE assertion failure in dispatch.c.
An attacker who can cause a resolver to perform queries which will be answered by a server which responds with deliberately malformed answers can cause named to exit, denying service to clients.
04/26/19
CVE 2019-6468
In BIND Supported Preview Edition version 9.10.5-S1 through 9.11.5-S5, an error in the nxdomain-redirect feature can occur in versions which support EDNS Client Subnet (ECS) features.
In those versions which have ECS support, enabling nxdomain-redirect is likely to lead to BIND exiting due to assertion failure.
04/25/19
CVE 2018-5743
By design, BIND is intended to limit the number of TCP clients that can be connected at any given time. The number of allowed connections is a tunable parameter which, if unset, defaults to a conservative value for most servers.
Unfortunately, the code which was intended to limit the number of simultaneous connections contains an error which can be exploited to grow the number of simultaneous connections beyond this limit.
By exploiting the failure to limit simultaneous TCP connections, an attacker can deliberately exhaust the pool of file descriptors available to named, potentially affecting network connections and the management of files such as log files or zone journal files.
In cases where the named process is not limited by OS-enforced per-process limits, this could additionally potentially lead to exhaustion of all available free file descriptors on that system.
04/25/19
CVE 2019-6467
A programming error in the nxdomain-redirect feature can cause an assertion failure in query.c if the alternate namespace used by nxdomain-redirect is a descendant of a zone that is served locally.
An attacker who can deliberately trigger the condition on a server with a vulnerable configuration can cause BIND to exit, denying service to other clients.
02/25/19
CVE 2018-5744
CVE 2018-5745
BIND 9.10.7 through 9.10.8-P1, 9.11.3 through 9.11.5-P1, 9.12.0 through 9.12.3-P1, and versions 9.10.7-S1 through 9.11.5-S3 of BIND 9 Supported Preview Edition are affected by two denial of service vulnerabilities.
First, a specially crafted packet can cause named to leak memory and can potentially cause named's memory use to grow without bounds until all memory available to the process is exhausted.
Second, an assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys.
02/22/19
CVE 2019-6465
BIND versions 9.9.0 through 9.10.8-P1, 9.11.0 through 9.11.5-P2, 9.12.0 through 9.12.3-P2, and versions 9.9.3-S1 through 9.11.5-S3 of BIND 9 Supported Preview Edition are affected by an issue where controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable.
A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.
12/19/18
CVE 2018-5742
BIND version 9.9.4-65 shipped in Red Hat Enterprise Linux 7 is vulnerable to an issue when the debug log level is 10 or higher, allowing for remote attackers to cause a crash via crafted queries.
09/20/18
CVE 2018-5741
BIND versions prior to 9.11.5 and 9.12.x prior to 9.12.3 are prone to a vulnerability, which could allow a remote authenticated user to modify other records on the server.
The vulnerability exists due to a documentation issue in the "update-policy" feature for the "krb5-subdomain" and "ms-subdomain" update policies, which could mislead operators into believing that policies they had configured were more restrictive than they actually were.
08/09/18
CVE 2018-5740
BIND versions 9.7.0 through 9.8.8, 9.9.0 through 9.9.13, 9.10.0 through 9.10.8, 9.11.0 through 9.11.4, 9.12.0 through 9.12.2, and 9.13.0 through 9.13.2 are affected by a vulnerability, which could result in a denial of service.
The vulnerability exists due to a flaw in the "deny-answer-aliases" feature which will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients.
06/13/18
CVE 2018-5738
Some versions of BIND can improperly permit recursive queries to a BIND nameserver.
The vulnerability exists when configured to "recursion yes" and no match list values are provided for "allow-query-cache" or "allow-query" for the setting of "allow-recursion", may improperly permit recursion to all clients.
05/21/18
CVE 2018-5737
A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging. As a result, this vulnerability could cause operational problems depending on the particular manifestation -- either degradation or denial of service.
05/21/18
CVE 2018-5736
BIND versions 9.12 and 9.12.1 are prone to a vulnerability in zone database reference counting which can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession.
This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test.
03/01/18
CVE 2018-5734
While handling a particular type of malformed packet, BIND erroneously selects a SERVFAIL rcode instead of a FORMERR rcode.
If the receiving view has the SERVFAIL cache feature enabled, this can trigger an assertion failure in badcache.c when the request doesn't contain all of the expected information.
BIND 9.10.5-S1 to 9.10.5-S4, 9.10.6-S1, and 9.10.6-S2 are vulnerable if they allow recursion, unless the SERVFAIL cache is disabled for the receiving view.
02/20/18
CVE 2018-5735
BIND versions as shipped with Debian 7 are affected by a vulnerability, which could result in a denial of service.
The vulnerability exists due to flaw in validator.c in the handling of DNSSEC validation.
This issue is closely related to CVE 2017-3139.
01/19/18
CVE 2017-3145
BIND 9.0.0 to 9.8.x, 9.9.0 to 9.9.11, 9.10.0 to 9.10.6, 9.11.0 to 9.11.2, 9.9.3-S1 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1 are affected by a vulnerability, which could result in a denial of service condition.
The vulnerability exists due to a flaw during cleanup operations which can lead to a use-after-free error.
06/30/17
CVE 2017-3142
CVE 2017-3143
BIND 9.4.0 through 9.8.8, 9.9.0 through 9.9.10-P1, 9.10.0 through 9.10.5-P1, 9.11.0 through 9.11.1-P1,
9.9.3-S1 through 9.9.10-S2, and 9.10.5-S1 through 9.10.5-S2 are affected by two vulnerabilities,
which could allow unauthorized user to bypass TSIG authentication to transfer or update zone contents.
06/15/17
CVE 2017-3141
BIND 9.2.6-P2 through 9.2.9, 9.3.2-P1 through 9.3.6, 9.4.0 through 9.8.8, 9.9.0 through 9.9.10, 9.10.0 through 9.10.5,
9.11.0 through 9.11.1, 9.9.3-S1 through 9.9.10-S1, and 9.10.5-S1 are affected by a vulnerability, which could allow
a local user to achieve privilege escalation if the host file system permissions allow this.
The vulnerability exists because the BIND installer on Windows uses an unquoted service path.
06/15/17
CVE 2017-3140
BIND 9.9.10, 9.10.5, 9.11.0 through 9.11.1, 9.9.10-S1, 9.10.5-S1 are affected by a vulnerability, which could result in a denial of service.
The vulnerability exists due to flaw in the way BIND handled processing Response Policy Zones (RPZ) rules.
05/10/17
CVE 2017-3139
BIND versions as shipped with Red Hat Enterprise Linux 6 are affected by a vulnerability, which could result in a denial of service.
The vulnerability exists due to flaw in the way BIND handled DNSSEC validation.
04/14/17
CVE 2017-3136
A vulnerability in BIND when using DNS64 could allow an attacker to construct a query which causes an assertion failure, leading to a denial of service. The break-dnssec option must be enabled in order for the vulnerability to be exploited.
BIND 9.8.0 through 9.8.8-P1, 9.9.0 through 9.9.9-P6, 9.9.10b1 through 9.9.10rc1, 9.10.0 through 9.10.4-P6, 9.10.5b1 through 9.10.5rc1, 9.11.0 through 9.11.0-P3, 9.11.1b1 through 9.11.1rc1, and 9.9.3-S1 through 9.9.9-S8 are affected by this vulnerability.
04/14/17
CVE 2017-3137
A vulnerability in BIND could allow an attacker to cause an assertion failure in a server which is performing recursion. The attacker would need to be able to cause the server to receive a response containing CNAME or DNAME resource records with certain ordering.
BIND 9.9.9-P6, 9.9.10b1 through 9.9.10rc1, 9.10.4-P6, 9.10.5b1 through 9.10.5rc1, 9.11.0-P3, 9.11.1b1 through 9.11.1rc1, and 9.9.9-S8 are affected by this vulnerability.
04/14/17
CVE 2017-3138
BIND is affected by a denial-of-service vulnerability if the control channel is configured. An attacker who sends a null command string to the control channel can trigger a REQUIRE assertion failure, causing the service to terminate. The attacker must reside on a host which is within the ACL permitted access to the control channel in order to exploit the vulnerability.
BIND 9.9.9 through 9.9.9-P7, 9.9.10b1 through 9.9.10rc2, 9.10.4 through 9.10.4-P7, 9.10.5b1 through 9.10.5rc2, 9.11.0 through 9.11.0-P4, 9.11.1b1 through 9.11.1rc2, and 9.9.9-S1 through 9.9.9-S9 are affected by this vulnerability.
02/09/17
CVE 2017-3135
ISC BIND 9.8.8, 9.9.3-S1 through 9.9.9-S7, 9.9.3 through 9.9.9-P5, 9.9.10b1, 9.10.0 through 9.10.4-P5, 9.10.5b1, 9.11.0 through 9.11.0-P2, and 9.11.1b1,
are prone to denial of service attacks.
Some configurations using both DNS64 and RPZ can lead to an INSIST assertion failure or a NULL pointer read,
which causes the process to be terminated.
01/12/17
CVE 2016-9131
CVE 2016-9147
CVE 2016-9444
CVE 2016-9778
Multiple assertion failure during recursion which could lead to denial of service to clients are fixed in ISC BIND:
- ISC BIND 9.4.0 through 9.6-ESV-R11-W1, 9.8.5 through 9.8.8, 9.9.3 through 9.9.9-P4, 9.9.9-S1 through 9.9.9-S6, 9.10.0 through 9.10.4-P4, and 9.11.0 through 9.11.0-P1 are affected by a flaw when handling a malformed query response received by a recursive server in response to a query of RTYPE ANY.
- ISC BIND 9.9.9-P4, 9.9.9-S6, 9.10.4-P4, and 9.11.0-P1 are affected by a flaw when handling a query response containing inconsistent DNSSEC information.
- ISC BIND 9.6-ESV-R9 through 9.6-ESV-R11-W1, 9.8.5 through 9.8.8, 9.9.3 through 9.9.9-P4, 9.9.9-S1 through 9.9.9-S6, 9.10.0 through 9.10.4-P4, and 9.11.0 through 9.11.0-P1 are affected by a flaw when handling an unusually-formed answer containing a DS resource record.
- ISC BIND 9.9.8-S1 through 9.9.8-S3, 9.9.9-S1 through 9.9.9-S6, 9.11.0-9.11.0 through P1 are affected by a flaw in handling certain queries when a server is using the nxdomain-redirect feature to cover a zone for which it is also providing authoritative service.
11/02/16
CVE 2016-8864
ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.9-P3, 9.9.3-S1 through 9.9.9-S6, 9.10.0 through 9.10.4-P4, and 9.11.0, are prone to denial of service attack.
The vulnerability exists due to BIND's handling of responses containing a DNAME answer.
A server encountering an assertion error in db.c or resolver.c will stop, resulting in denial of service.
10/24/16
CVE 2016-2848
ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (
assertion failure and daemon exit) via malformed options data in an OPT resource record.
09/27/16
CVE 2016-2776
ISC BIND 9.0.x through 9.8.x, 9.9.0 through 9.9.9-P2, 9.9.3-S1 through 9.9.9-S3, 9.10.0 through 9.10.4-P2, 9.11.0a1 through 9.11.0rc1 are prone to denial of service attack.
The vulnerability exists due to a flaw in the rendering of messages into packets when a nameserver is constructing a response to a query that meets certain criteria.
07/29/16
CVE 2016-2775
ISC BIND 9.0.x through 9.9.9-P1, 9.10.0 through 9.10.4-P1, 9.11.0a3 through 9.11.0b1 are prone to denial of service attack.
The vulnerability exists due to an error in lwresd utility when a query name exceeds the maximum allowable length.
07/08/16
CVE 2016-6170
ISC BIND through 9.10.4-P1 allows primary DNS servers to cause a denial of service (secondary DNS server crash) via a large AXFR response,
and possibly allows IXFR servers to cause a denial of service (IXFR client crash) via a large IXFR response,
and allows remote authenticated users to cause a denial of service (primary DNS server crash) via a large UPDATE message.
03/11/16
CVE 2016-2088
resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies are enabled, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed packet with more than one cookie option.
03/10/16
CVE 2016-1285
CVE 2016-1286
- named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c.
- named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted signature record for a DNAME record, related to db.c and resolver.c.
03/03/16
CVE 2016-1284
rdataset.c in ISC BIND 9 Supported Preview Edition 9.9.8-S before 9.9.8-S5, when nxdomain-redirect is enabled,
allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit)
via crafted flag values in a query.
01/22/16
CVE 2015-8704
CVE 2015-8705
ISC BIND are affected by two vulnerabilities.
First, ISC BIND versions 9.3.0 through 9.8.8, 9.9.0 through 9.9.8-P2, 9.9.3-S1 through 9.9.8-S3, and 9.10.0 through 9.10.3-P2,
are vulnerable due to a buffer overflow and cause named to exit with an INSIST failure in apl_42.c.
Second, ISC BIND versions 9.10.0 through 9.10.3-P2 are vulnerable due to errors in converting OPT resource records
and ECS options to text format, which may result in a REQUIRE assertion failure in buffer.c.
12/16/15
CVE 2015-8461
ISC BIND versions 9.9.8 through 9.9.8-P1, 9.9.8-S1 through 9.9.8-S2, 9.10.3 through 9.10.3-P1 are prone to denial of service attacks.
The vulnerability exists due to a flaw in BIND 9 which can cause a server to exit after encountering an INSIST assertion
failure in resolver.c.
12/16/15
CVE 2015-8000
ISC BIND versions 9.0.x through 9.9.8-P1, 9.10.0 through 9.10.3-P1 are prone to denial of service attacks.
The vulnerability exists due to a flaw in the parsing of incoming responses
with a malformed class attribute. An attacker who can cause a server to request a record with a malformed
class attribute can use this vulnerability to trigger a REQUIRE assertion in db.c, causing named
to exit and denying service to clients.
09/03/15
CVE 2015-5986
ISC BIND versions 9.9.7 through 9.9.7-P2 and 9.10.2 through 9.10.2-P3 are prone to denial of service attacks.
The vulnerability exists due to an incorrect boundary check in "openpgpkey_61.c" which can cause
named to terminate due to a REQUIRE assertion failure, resulting in denial of service to clients.
09/03/15
CVE 2015-5722
ISC BIND versions 9.0.0 through 9.8.8, 9.9.0 through 9.9.7-P2, and 9.10.0 through 9.10.2-P3
are prone to a denial of service attacks. The vulnerability exists due to a flaw in the way
the application parse a malformed DNSSEC key. The vulnerability may cause BIND to exit
due to a failed assertion in "buffer.c"
07/29/15
CVE 2015-5477
ISC BIND versions 9 through 9.9.7-P1 and 9.10.0 through 9.10.2-P2 are prone to a denial of service attacks.
The vulnerability exists due to a flaw in the way the application handles queries for TKEY records.
A remote attacker could use this flaw to trigger a REQUIRE assertion failure, causing BIND to exit unexpectedly.
07/07/15
CVE 2015-4620
ISC BIND versions 9.7.1 through 9.9.7 before 9.9.7-P1 and 9.10.0 through 9.10.2-P1 are prone to a vulnerability,
which can cause a Resolver to crash when validating a specially constructed zone data.
This means that a recursive resolver that is performing DNSSEC validation can be deliberately stopped by an attacker who can cause the resolver to perform a query against a maliciously-constructed zone.
02/20/15
CVE 2015-1349
ISC BIND versions 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before 9.10.1-P2 are prone to a vulnerability,
which can be exploited by a remote attacker to cause the named service to crash. When BIND servers are configured to perform DNSSEC validation and are using managed-keys, the vulnerability is triggered when handling a certain set of conditions in managed trust anchors.
12/11/14
CVE 2014-8680
ISC BIND versions 9.10.0 to 9.10.1 are prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability exists due to an unspecified flaws in the GeoIP feature.
12/11/14
CVE 2014-8500
ISC BIND versions before 9.9.6-P1 and before 9.10.1-P1 are prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability exists due to a flaw in the Domain Name Service when handling
a maliciously-constructed zone or queries from a rogue server.
06/17/14
CVE 2014-3859
ISC BIND versions before 9.10.0-P2 are prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability exists due to an error in the EDNS option processing.
The vulnerability can be exploited to cause named to terminate with an assertion failure
when handling a specially crafted query.
05/12/14
CVE 2014-3214
ISC BIND versions before 9.10.0-P1 are prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability exists due to an error in the prefetch feature when processing certain queries.
The vulnerability can be exploited to trigger an assertion failure and could cause a crash when
recursive nameserver is enabled.
01/17/14
CVE 2014-0591
ISC BIND versions before 9.9.4-P2, 9.8.6-P2, and 9.6-ESV-R10-P2 are prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability exists due to an error when handling queries for NSEC3-signed zones.
The vulnerability can be exploited to cause a crash with an "INSIST" failure by sending a
specially crafted query.
Note: Successful exploitation requires an authoritative nameservers serving at least one NSEC3-signed zone.
11/12/13
CVE 2013-6230
ISC BIND versions before 9.9.4-P1, 9.8.6-P1, and 9.6-ESV-R10-P1 are prone to a vulnerability,
which can be exploited to bypass certain security restrictions.
The vulnerability exists because of insecure handling in the Winsock WASIoctl API.
The vulnerability can be exploited to bypass ACLs and gain access to the features
accessible to the "localnets" ACL.
08/02/13
CVE 2013-4854
ISC BIND versions 9.8.0 through 9.8.5-P1 and versions 9.9.0 through 9.9.3-P1 are prone to a vulnerability,
which can be exploited to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when parsing RDATA within a DNS query and can be exploited to crash the server via a specially crafted query.
06/13/13
CVE 2013-3919
ISC BIND versions 9.6-ESV-R9, 9.8.5, 9.9.3, and prior are prone to a vulnerability,
which can be exploited to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when handling recursive query for zones.
The vulnerability can be exploited to cause a crash.
03/28/13
CVE 2013-2266
ISC BIND before 9.8.4-P2 and 9.9.2-P2 is prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an unspecified error when handling regular expressions.
This can be exploited to exhaust memory resources and render the server unusable.
01/28/13
CVE 2012-5689
ISC BIND versions 9.8.0 through 9.8.4-P1 and 9.9.0 through 9.9.2-P1 are prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when remapping A records into AAAA records while handling AAAA
record lookups for an A record rewrite rule in a Response Policy Zone (RPZ). This can be exploited to trigger
an assertion failure and terminate the named process.
Successful exploitation requires configurations involving DNS64 with a Response Policy Zone that lacks an AAAA rewrite rule.
12/10/12
CVE 2012-5688
ISC BIND versions 9.8.0 through 9.8.4 and 9.9.0 through 9.9.2 are prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the DNS64 IPv6 transition mechanism when handling certain queries,
which can be exploited to trigger a REQUIRE assertion and crash the server via a specially crafted DNS query.
10/12/12
CVE 2012-5166
ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before 9.9.1-P4, and 9.6-ESV before 9.6-ESV-R7-P4 is prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when handling queries for certain records and can be exploited to cause the named process to lockup.
09/18/12
CVE 2012-4244
ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 is prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an assertion error when processing resource records having RDATA greater than 65535 bytes.
This can be exploited to e.g. crash a recursive server via a query that requests a record from an authoritative server.
07/30/12
CVE 2012-3817
CVE 2012-3868
ISC BIND before 9.9.1-P2, 9.8.3-P2, 9.7.6-P2, or 9.6-ESV-R7-P2 is prone to two vulnerabilities,
which can be exploited by malicious people to cause a DoS (Denial of Service).
- An error when handling certain queries can be exploited to use a "bad cache" data structure and trigger an assertion.
- A memory leak error when processing TCP queries can be exploited to increase the number of misplaced ns_client objects and trigger an out-of-memory condition.
06/07/12
CVE 2012-1667
ISC BIND before 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, or 9.9.1-P1 is prone to a vulnerability, which can be exploited by malicious people to cause a crash, restart or disclose some portion of memory to the client. The vulnerability is caused due to an error when handling DNS resource records containing zero length rdata.
02/15/12
CVE 2012-1033
ISC BIND 9.x is prone to a vulnerability,
which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an error within the cache update policy, which does not properly handle revoked domain names.
This can be exploited to keep the domain name resolvable after being deleted from registration.
11/25/11
CVE 2011-4313
BIND 9 is affected by a denial-of-service vulnerability,
in which queries for a certain type of invalid cached record
crashes the DNS resolver service after logging an error.
BIND 9.0 to 9.6, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV through 9.6-ESV-R5, 9.7.0 to 9.7.4, 9.8.0, 9.8.1, and 9.9.0a1 to 9.9.0b1 are affected by this vulnerability.
07/12/11
CVE 2011-2464
CVE 2011-2465
ISC BIND before 9.8.0-P4 is prone to multiple Denial of Service vulnerabilities:
- Errors within the "Response Policy Zones" (RPZ) feature when processing DNAME and CNAME records can be exploited to terminate the named process.
- A vulnerability is caused due to an error when handling UPDATE requests.
06/01/11
CVE 2011-1910
ISC BIND before 9.4-ESV-R4-P1, 9.6-ESV-R4-P1, 9.7.3-P1 or 9.8.0-P2 is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an assertion error within the processing of negative responses containing large RRSIG RRsets.
05/16/11
CVE 2011-1907
BIND 9.8.0 is prone to a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an assertion failure when processing RRSIG queries
if the Response Policy Zones mechanism is used for RRset replacement, which can be exploited to terminate the server via RRSIG queries.
03/09/11
CVE 2011-0414
ISC BIND 9.7.1 through 9.7.2-P3, when configured as an authoritative server, allows remote attackers to cause a denial of service by sending a query at the time of
(1) an IXFR transfer or (2) a DDNS update.
01/05/11
CVE 2010-3762
ISC BIND before 9.7.2-P2 is prone to a remote denial-of-service vulnerability because the software fails to handle certain bad signatures in a DNS query.
An attacker can exploit this issue to cause the application to crash, denying service to legitimate users.
12/17/10
CVE 2010-3613
CVE 2010-3614
CVE 2010-3615
BIND versions prior to 9.4-ESV-R4, 9.6.2-P3, 9.6-ESV-R3, and 9.7.2-P3 are affected by three vulnerabilities:
- Certain types of signed negative responses in the cache could cause a crash.
- Answers could incorrectly be marked insecure after a DNSKEY algorithm rollover.
- Access control bypass due to failure to check view and global allow-query settings. (9.7.x only)
10/13/10
CVE 2010-0218
ISC BIND before 9.7.2-P2 is prone to a security-bypass vulnerability and a denial-of-service vulnerability.
Successfully exploiting these issues allows remote attackers to crash affected DNS servers, denying further service to legitimate users,
and to bypass certain security restrictions and perform unauthorized actions.
08/03/10
CVE 2010-0213
ISC BIND before 9.7.1-P2 is prone to a remote denial-of-service vulnerability
because the software fails to handle certain record types.
An attacker can exploit this issue to cause the application to fall into an infinite loop,
denying service to legitimate users.
CVE 2010-0290
BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta, with DNSSEC validation enabled and checking disabled, is vulnerable to a DNS cache poisoning vulnerability. Remote attackers can receive a recursive client query and send a response that contains CNAME or DNAME records which are not properly validated before caching.
CVE 2010-0382
ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta
mishandles out-of-bailiwick data accompanying a secure response by not re-fetching from the original source.
Successful remote attackers sending a crafted response can have unspecified impact.
02/03/10
CVE 2010-0097
ISC BIND 9 is prone to a remote cache-poisoning vulnerability.
An attacker may leverage this issue to manipulate cache data,
potentially facilitating man-in-the-middle, site-impersonation,
or denial-of-service attacks.
12/16/09
CVE 2009-4022
ISC BIND 9 is prone to a remote cache-poisoning vulnerability.
An attacker may leverage this issue to manipulate cache data,
potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks.
12/16/09
CVE 2009-0025
BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.
CVE 2009-0265
BIND 9.6.0 and earlier incorrectly checks the result after calling the EVP_VerifyFinal function, which leads to malformed signatures being treated as good signatures. A remote attacker could bypass validation of the certificate chain by presenting a malformed SSL/TLS signature.
08/05/09
CVE 2009-0696
There is a denial of service vulnerability in ISC BIND 9.
This vulnerability is due to an error when ISC BIND 9 handles dynamic update messages.
An unprivileged remote attacker can exploit this flaw by sending malicious dynamic update requests
to a target DNS server. Successful exploitation would cause a denial of service condition.
CVE 2008-4163
BIND 9.3.5-P2-W2, 9.4.2-P2-W2, 9.5.0-P2-W2, and earlier allow a remote attacker to cause the UDP client handler to shutdown. This can lead to denial of service.
07/09/08
CVE 2008-1447
The DNS protocol in BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1 allow remote
attackers to spoof DNS traffic via cache poisoning techniques. These techniques are
caused by insufficient randomness of DNS transaction IDs and source ports.
02/05/08
CVE 2008-0122
Multiple applications that use the libbind BIND library are
vulnerable to an off-by-one buffer overflow attack by remote unauthenticated
users. This vulnerability is a result of the inet_network()
function not properly sanitizing user input before copying it to another
undersized memory buffer. Successfully exploiting this vulnerability may
allow attackers to execute arbitrary code in the context of the application.
Unsuccessful attacks may cause the applications to crash, thereby causing
denial of services. BIND versions 9.5.x prior to 9.5.0b2,
9.4.x prior to 9.4.3, and prior to 9.3.5 are vulnerable.
12/25/07
CVE 2007-6283
Fedora Core 8 and Red Hat Enterprise 5 under certain conditions
has the /etc/rndc.conf file accessible to all users allowing
for local users to stop named, change the logging level, request
configuration or zone file reload and disable updates of dynamic zones.
08/30/07
CVE 2007-2930
Version 8.2 through 8.4.7 (unpatched) of the BIND software uses a weak algorithm to generate DNS query identifiers.
This condition allows an attacker to reliably guess the next query ID, thereby allowing for DNS cache poisoning attacks.
07/27/07
CVE 2007-2925
The default access control lists (ACLs) are not correctly set in BIND 9.4.0, 9.4.1, and 9.5.0a1 through 9.5.0a5, allowing remote attackers to make recursive queries or query the cache contents.
07/27/07
CVE 2007-2926
A cryptographic weakness in the generation of DNS query
IDs could expose the DNS server to a cache poisoning
attack.
This bug only affects outgoing queries, generated by BIND 9 to answer questions as a resolver, or when it is looking up data for internal uses, such as when sending NOTIFYs to slave name servers.
BIND 9.2 through 9.2.8, 9.3 through 9.3.4, 9.4 through 9.4.1, and 9.5.0a1 through 9.5.0a5
are affected by this vulnerability.
05/02/07
CVE 2007-2241
BIND version 9.4.0 and 9.5.0a1-9.5.0a3 have a vulnerability leading to
denial of service. The vulnerability is caused by an assertion
failure in the query_addsoa function while handling
DNS messages. Remote attackers can exploit this vulnerability
by sending a specially crafted sequence
of queries and cause a denial of service condition in the DNS server.
02/02/07
CVE 2007-0493
Under certain circumstances the named application can be
caused to access a fetch context in an area of memory that has already
been freed, resulting in named exiting unintentionally.
BIND versions 9.3.0-9.3.3, 9.4.0a1-9.4.0a6, 9.4.0b1, and 9.5.0a1 are
vulnerable.
02/02/07
CVE 2007-0494
When recursion and DNSSEC validation have been enabled on a DNS server, BIND
may be vulnerable to a denial of service attack. In situations where a
recursive/DNSSEC-enabled server requests ANY record type for the domain,
and the authoritative server returns multiple signed records, a failure in
the DNSSEC validation of these records may cause the named
process of the requesting server to exit unintentionally. BIND versions
9.0.x, 9.1.x, 9.2.0-9.2.7, 9.3.0-9.3.3, 9.4.0a1-9.4.0a6, 9.4.0b1-9.4.0b4,
9.4.0rc1, and 9.5.0a1 are vulnerable if configured to enable recursion and
DNSSEC validation.
12/04/06
CVE 2006-4339
Some Linux versions of BIND prior to 9.3.1 are affected by
a vulnerability in the DNSSEC implementation. This is caused
by a vulnerability in OpenSSL that when using an RSA key with exponent 3, removes PKCS-1 padding
before generating a hash. This allows remote attackers to forge
a PKCS #1 v1.5 signature.
09/09/06
CVE 2006-4095
CVE 2006-4096
ISC BIND versions prior to 9.2.6 Patch 1 and 9.3.0 through 9.3.2 Patch 1 are vulnerable to two denial
of service vulnerabilities. One is caused by crafted malformed SIG
queries, the other by a flood of recursive queries which cause an
INSIST failure.
05/08/06
CVE 2006-2073
ISC BIND version 9.3.2 is vulnerable to a denial of service vulnerability caused
by a broken TSIG in the second or later message of a zone transfer.
However, since a correct TSIG is required in the first message, ISC
has decided to fix this vulnerability in a later scheduled BIND release. Previous releases
are also vulnerable.
CVE 2006-0527
BIND before 9.0 is vulnerable to remote cache corruption attack via affected name servers. This could lead to remote users gaining unauthorized, privileged access to affected servers.
01/27/05
CVE 2005-0033
There is a buffer overflow in the array which is used to track
name servers and addresses which have been queried. This could
allow a remote attacker to crash named if recursion
or glue-fetching is enabled. BIND 8.4.4 and 8.4.5 are affected
by this vulnerability.
01/27/05
CVE 2005-0034
A flaw in the authvalidated function can cause
an internal consistency test to fail, causing named to exit. This could allow
a remote attacker to cause a denial of service if the
DNSSEC option is enabled. Only BIND 9.3.0 is affected by this
vulnerability.
CVE 2003-0914
BIND before 8.3.7 and 8.4.x before 8.4.3 allows malicious name servers to submit negative responses with a large time-to-live value when a query is submitted. This could lead to the domain name becoming unreachable.
11/12/02
CVE 2002-1219
A flaw in the formation of DNS responses containing cached
SIG resource records could allow a remote
attacker to execute commands on the server. In order for
this vulnerability to be exploited, the attacker must be
able to cause the victim server to cache DNS information,
which requires the attacker to have control of an
authoritative DNS server and the victim server to have
recursion enabled. BIND versions 4.9.5 through 4.9.10,
8.1, 8.2 through 8.2.6, and 8.3.0 through 8.3.3 are affected
by this vulnerability. BIND 9 is not affected.
11/12/02
CVE 2002-1220
By requesting a DNS lookup on a nonexistent sub-domain of
a valid domain and attaching an OPT resource
record with a large UDP payload, a remote attacker could
cause recursive BIND servers to crash. BIND 8.3.0 through
8.3.3 are affected by this vulnerability.
11/12/02
CVE 2002-1221
By creating cached SIG resource records
with invalid expiry times which are then deleted from the
internal database, an attacker could cause BIND to dereference
a null pointer, thus causing BIND to crash. In order to
exploit this vulnerability, an attacker
would need prior control of an authoritative name server,
and BIND would need to have recursion enabled.
BIND 8.2 through 8.2.6 and 8.3.0 through 8.3.3 are affected
by this vulnerability.
12/03/02
CVE 2002-2211
BIND 4 and BIND 8 allow multiple simultaneous requests.
If a client sends many simultaneous resolution requests
for the same domain name, BIND will send a query to that
domain's name server for each of the simultaneous
requests, with a unique identifier for each query.
By successfully guessing any one of these identifiers, an
attacker could create a fake response which would be accepted
by BIND, thus injecting spoofed DNS entries into the cache.
An attacker could increase his or her odds of a successful
attack by increasing the number of simultaneous requests.
DNS spoofing could allow an attacker to launch various types of attacks on other hosts which rely on the vulnerable DNS server, such as impersonation of legitimate web servers, and unauthorized access by exploitation of hostname-based trust relationships.
BIND 4 through 4.9.11, 8.0 through 8.2.7, and 8.3 through 8.3.4 are affected by this vulnerability.
CVE 2001-0497
BIND 8.2.4 and earlier dnskeygen and BIND 9.x through 9.1.2 dnssec-keygen improperly set permissions on a HMAC-MD5 shared secret key file that is used for transactional signatures. This allows attackers to access the key and perform dynamic DNS updates.
BIND 8.2 through BIND 8.2.2 (all patch levels) send the program to an error handling routine when an invalid transaction signature is detected. This error handling procedure initializes variables differently from the normal procedure, such that when a valid signature is then processed a buffer overflow condition is created. This condition along with other buffer overflow exploitation techniques could allow an attacker to gain unauthorized access to the system.
Note: 8.2.3 beta versions are also vulnerable.
BIND 4.9 through BIND 4.9.7 use a fixed-length buffer to build error messages to send to syslog. An attacker could overflow this buffer by sending a specially crafted DNS query, allowing arbitrary code to be executed.
By sending a specially crafted DNS query to the server, a remote attacker could access the program stack, thus gaining knowledge of program variables. BIND 4 through BIND 4.9.7 and BIND 8 through BIND 8.2.2 (all patch levels) are affected by this vulnerability.
CVE 2000-1029
In BIND 8.1 and earlier the host command improperly configures the AXFR query
response buffer to be limited to 512 bytes. Because TCP DNS messages can be up
to 65535 bytes in length, the response can overflow the buffer and the return
address can be modified. This could allow a remote attacker to gain control of
the system.
CVE 1999-1499
In BIND versions 4.9 and earlier, and 8.x through 8.1, upon receipt of the
SIGINT or SIGIOT signals, BIND dumps the named
database to /var/tmp/named_dump.db or appends named statistics
to /var/tmp/named.stats, respectively. When doing so, BIND does not
properly check for symbolic links, and a local user could destroy any file on
the system.
BIND 8.2 and BIND 8.2.1 fail to properly validate NXT records. An attacker could exploit this problem and gain access to the name server by causing a buffer to overflow. BIND 4.9 and BIND 8 prior to BIND 8.2 are not vulnerable to this problem but have other problems (see below).
CVE 1999-0184
BIND 9.4.0 and earlier, when compiled with the -DALLOW_UPDATES option enabled, allows dynamic updates to the DNS server. This allows malicious modification of DNS updates.
Cache poisoning occurs when malicious or misleading data received from a remote name server is saved (cached) by another name server. This "bad" data is then made available to programs that request the cached data through the client interface. Cache poisoning is being used to adversely affect the mapping between host names and IP addresses. Once this mapping has been changed, any information sent between hosts on a network may be subjected to inspection, capture, or corruption.
BIND 4.9 releases prior to BIND 4.97 and BIND 8 releases prior to BIND 8.1.2 do not properly bound check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream might allow a remote intruder to gain root level access on a name server or disrupt the normal operations of the name server.
The inverse query feature is disabled by default, so only systems that have been explicitly configured to allow it are vulnerable. To determine if a system is vulnerable:
- BIND 8 - Look at the "options" block in the configuration file ( typically /etc/named.conf). If there is a "fake-query yes" line in the file, the server is vulnerable to this hack.
- BIND 4.9 - Look at the "options" lines in the configuration file, (typically /etc/named.boot). If there is a line containing "fake- iquery", then the server is vulnerable. Also, unlike BIND 8, inverse query support may be enabled when the server is compiled. Examine conf/options.h in the source. If the line "#defining INVQ" is not commented out, then the server is vulnerable.
CVE 1999-0010
CVE 1999-0011
CVE 1999-0835
CVE 1999-0837
CVE 1999-0848
CVE 1999-0849
CVE 1999-0851
CVE 2000-0887
CVE 2000-0888
BIND 8 releases prior to BIND 8.2.2-P7 and all BIND 4.9 releases have a variety of problems which could allow an improperly or maliciously formatted DNS message to crash the server or yield garbage record data. Many DNS utilities that process DNS messages (e.g., dig, nslookup) also fail to do proper bounds checking. Any system running BIND 4.9 or BIND 8 prior to BIND 8.2.2-P7 is vulnerable.
Assume that the following self-referential resource record is in the cache on a name server:
foo.example. IN A CNAME foo.example.
The actual domain name used does not matter; the important thing is that the target of the CNAME is the same name. The record could be in the cache either because the server was authoritative for it or because the server is recursive and someone asked for it. Once this record is in the cache, issuing a zone transfer request using its name (e.g., "dig @my_nameserver foo.example. axfr") will cause the server to abort(). Most sites will not contain such a record in their configuration files. However, it is possible for an attacker to engineer such a record into the cache of a vulnerable nameserver and thus cause a denial of service.
If the BIND 8 server is not recursive and does not fetch glue, then the problem may be exploited only if the self-referential resource record is in a zone for which the server is authoritative. If the global zone transfer ACL in the options block has been set to deny access and has no self-referential CNAMEs in its authoritative zones, then the server is not vulnerable. Otherwise, the server is probably vulnerable to this hack. The nameserver is recursive by default, fetches glue by default and the default global transfer ACL allows all hosts; so many BIND 8 servers will be vulnerable to this problem.
06/05/02
CVE 2002-0400
BIND 9 versions prior to BIND 9.2.1 have a vulnerability
that allows remote attackers to shut down BIND servers. An attacker can cause
the shutdown by sending a specific DNS packet designed to create an
improperly-handled error condition. Because the error condition is correctly
detected but is not handled properly, this vulnerability will not allow an
intruder to execute arbitrary code or write data to arbitrary locations in
memory. The error condition that triggers the shutdown occurs when the rdataset
parameter to the dns_message_findtype() function in message.c
is not NULL as expected. The condition causes the code to assert an error
message and call abort() to shutdown the BIND server.
For more information about this vulnerability, see CERT Advisory 2002-15.
Resolution
Check for package updates from the vendor.Upgrade BIND to version 9.21.14 or higher for development branch, 9.20.15 or higher for current stable branch, 9.18.41 or higher for the older stable, ESV branch, or apply a fix from your operating system vendor.
Note: 9.0.x thru and 9.16.x have reached EOL.
The latest version of BIND is available from the Internet Software Consortium.
BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers. Releases in the Supported Preview Edition branch are denoted by an "-S" suffix and a sequence number, e.g. "BIND 9.9.8-S1". Features which are created for BIND 9 Supported Preview Edition are ported to main-line open-source BIND releases after they have been refined in the Supported Preview Edition.
The latest release for BIND Supported Preview Edition is 9.18.38-S1 and 9.20.11-S1.
For the TCP-pipelined queries that can bypass tcp-clients limit, the vulnerability can be avoided by disabling server TCP-pipelining:
keep-response-order { any; };
and then restarting BIND. The server restart is necessary because neither a reload nor a reconfig operation will properly reset currently pipelining TCP clients.
For the BIND assertion failure in badcache.c, the vendor advisory workaround is to disable the SERVFAIL cache with 'servfail-ttl 0;' which will prevent taking the code path that leads to the assertion failure or upgrade to BIND 9 version 9.10.6-S3.
For the REQUIRE assertion failure in rdataset.c, upgrade BIND 9 Supported Preview Edition to 9.9.8-S5 or apply the patch.
As a workaround for RDATA handling assertion failure denial of service vulnerability, ensure that the RPZ contains a AAAA rewrite rule for every A rewrite rule.
To fix the allow-query-cache/allow-recursion default ACL weakness, explicitly set the allow-query-cache and allow-recursion ACLs as instructed by BugTraq ID 25076.
Where can I read more about this?
The BIND Security Update for October 2025 was reported in CVE-2025-40778, CVE-2025-40780 and CVE-2025-8677.The BIND Security Update for July 2025 was reported in CVE-2025-40776 and CVE-2025-40777.
The BIND Security Update for May 2025 was reported in CVE-2025-40775.
The BIND Security Update for January 2025 were reported in CVE-2024-11187 and CVE-2024-12705.
The BIND Security Update for July 2024 were reported in CVE-2024-0760, CVE-2024-1737, CVE-2024-1975 and CVE-2024-4076.
The BIND Security Update for February 2024 were reported in CVE-2023-4408, CVE-2023-50387, CVE-2023-50868, CVE-2023-5517, CVE-2023-5679, CVE-2023-5680 and CVE-2023-6516.
For more information on the BIND Security Update for September 2023, see CVE-2023-3341 and CVE-2023-4236.
For more information on the BIND Security Update for June 2023, see CVE-2023-2828, CVE-2023-2829 and CVE-2023-2911.
For more information on the BIND Security Update for January 2023, see CVE-2022-3094, CVE-2022-3488, CVE-2022-3736 and CVE-2022-3924.
For more information on the BIND Security Update for September 2022, see CVE-2022-2795, CVE-2022-2881, CVE-2022-2906, CVE-2022-3080, CVE-2022-38177 and CVE-2022-38178.
The DNS over HTTPS denial of service was reported in ISC Security Advisory CVE-2022-1183.
For more information on the BIND Security Update for March 2022, see CVE-2021-25220, CVE-2022-0396, CVE-2022-0635 and CVE-2022-0667.
For more information on the BIND Security Update for October 2021, see CVE-2021-25219. For more information on the BIND Security Update for August 2021, see CVE-2021-25218.For more information on the BIND Security Update for April 2021, see CVE-2021-25214, CVE-2021-25215 and CVE-2021-25216.
For more information on the denial of service via DNS queries , see BIND's Default Policy for Recursion.
For more information on the BIND Security Update for February 2021, see CVE-2020-8625.
The BIND Security Update for August were reported in CVE-2020-8620, CVE-2020-8621, CVE-2020-8622, CVE-2020-8623 and CVE-2020-8624.
The BIND Security Update for June 200 were reported in CVE-2020-8618 and CVE-2020-8619.
The BIND Security Update for May 2020 were reported in CVE-2020-8616 and CVE-2020-8617.
The TCP-pipelined queries can bypass tcp-clients limit was posted to CVE-2019-6477.
The two vulnerabilities in BIND 9 were reported in CVE-2019-6475 and CVE-2019-6476.
For more information on the BIND race condition when discarding malformed packets (CVE-2019-6471), see CVE-2019-6471.
For more information on the BIND Supported Preview Edition nxdomain-redirect assertion failure, see CVE-2019-6468.
For more information on the BIND limiting simultaneous TCP clients is ineffective, see CVE-2018-5743.
For more information on the BIND nxdomain-redirect denial of service vulnerability, see CVE-2019-6467.
For more information on the BIND two denial of service vulnerabilities, see CVE-2018-5744 and CVE-2018-5745.
For more information on the BIND Zone transfer controls vulnerability, see CVE-2019-6465.
The BIND debug log level 10 denial of service vulnerability was posted to Bugtraq ID 106246.
The BIND "update-policy" vulnerability was posted to CVE-2018-5741.
The BIND "deny-answer-aliases" denial of service vulnerability was posted to Article AA-01639.
The BIND Recursion access control vulnerability was posted to Article AA-01616.
The BIND serve-stale Function vulnerability was posted to Article AA-01606.
The BIND Slave Zone Transfer Processing vulnerability was posted to Article AA-01602.
The BIND assertion failure in badcache.c was posted to Article AA-01562.
The BIND assertion failure in validator.c was posted to bind9 security update.
The BIND Improper fetch cleanup sequencing denial of service was posted to Article AA-01542.
The BIND fixed two vulnerabilities in TSIG authentication were posted to CVE-2017-3142 and CVE-2017-3143.
The BIND installer on Windows vulnerability was posted to CVE-2017-3141.
The Response Policy Zones (RPZ) denial of service was posted to CVE-2017-3140.
The BIND DNSSEC assertion failure was posted to RHSA-2017-1202.
The DNS64 assertion failure was reported in KB article AA-01465.
The CNAME and DNAME ordering denial of service was reported in KB article AA-01466.
The control channel null command string vulnerability was reported in KB article AA-01471.
The some configurations in BIND can lead the target to crush were posted in Article AA-01453.
The multiple vulnerabilities fixed in 9.9.9-P5, 9.10.4-P5, and 9.11.0-P2 were reported in Article AA-01439, Article AA-01440, Article AA-01441 and Article AA-01442.
The Assertion Failure in db.c or resolver.c denial of service vulnerability was reported in Article AA-01434.
The Malformed options can trigger an assertion failure in ISC Bind was reported in Article AA-01433.
The Assertion Failure in buffer.c While Building Responses to a Specifically Constructed Request was reported in Article AA-01419.
A query name which is too long can cause a segmentation fault in lwresd was reported in Article AA-01393.
The malicious primary DNS servers can crash secondaries was reported in CVE-2016-6170.
Servers with DNS cookie support enabled vulnerability was reported in Article AA-01351.
The two denial of service vulnerabilities fixed in ISC BIND were reported in Article AA-01352 and Article AA-01353.
The REQUIRE assertion failure in rdataset.c was reported in Article AA-01348.
The two denial of service vulnerabilities were reported in Article AA-01335 and Article AA-01336.
The race condition vulnerability when handling socket errors was reported in Article AA-01319.
The assertion failure in db.c was reported in Article AA-01317.
The REQUIRE assertion failure vulnerability was reported in Article AA-01291.
The DNSSEC key parsing vulnerability was reported in Article AA-01287.
The TKEY error handling vulnerability was reported in Article AA-01272.
The Recursive Resolver performing DNSSEC validation vulnerability was reported in Article AA-01267.
The Trust Anchor Management Vulnerability was reported in Article AA-01235.
The ISC BIND GeoIP features can cause BIND to crash was reported in Article AA-01217.
The ISC BIND delegation handling vulnerability was reported in Article AA-01216.
The ISC BIND named EDNS option vulnerability was reported in Article AA-01166.
The recursive nameservers prefetch failed assertion denial of service vulnerability was reported in BIND-9.10.0-P1.
The NSEC3-Signed zones queries handling denial of service vulnerability was reported in SecurityTracker ID 1029589.
The "localnets" Access Control List vulnerability was reported in AA-01062 and AA-01063.
The RDATA Handling Assertion Failure Denial of Service vulnerability was reported in SecurityTracker ID 1028838.
The Recursive Query Handling Denial of Service vulnerability was reported in AA-00967.
The Regular Expression Handling Denial of Service vulnerability was reported in Bugtraq.
The AAAA Record Lookup Handling Assertion Failure vulnerability was reported in AA-00855.
The DNS64 REQUIRE Assertion Failure Denial of Service vulnerability was reported in AA-00828.
The Record Handling Lockup vulnerability was reported in AA-00801.
The Resource Record Denial of Service vulnerability was reported in Bugtraq.
The Bad Cache Assertion Failure and TCP Query Denial of Service vulnerabilities were reported in SecurityTracker ID 1027296.
The handling of DNS resource record vulnerability was reported in Bugtraq.
The Deleted Domain Name Resolving vulnerability was reported in SecurityTracker ID 1026647.
The BIND 9 Resolver crash was reported in an ISC Advisory.
The Multiple Denial of Service Vulnerabilities fixed in 9.8.0-P4 were reported in SecurityTracker ID 1025742 and SecurityTracker ID 1025743.
The Negative Caching RRSIG RRsets Denial of Service vulnerability was reported in SecurityTracker ID 1025572.
The Response Policy Zones RRSIG Query Assertion Failure Denial of Service vulnerability was reported in SecurityTracker ID 1025503.
The IXFR or DDNS Update Deadlock Denial of Service vulnerability was reported in SecurityTracker ID 1025110.
The DNSSEC Validation Remote Denial of Service vulnerability was reported in Bugtraq ID 45385.
The three vulnerabilities fixed in BIND 9.7.2-P3 were reported in ISC Advisories 2010-3613, 2010-3614 and 2010-3615.
The Denial Of Service and Security Bypass vulnerability was reported in Bugtraq ID 43573.
The RRSIG Record Type Remote Denial of Service vulnerability was reported in Bugtraq ID 41730.
The BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning vulnerability was reported in Bugtraq ID 37865.
The BIND 9 CNAME and DNAME Cache Poisoning Vulnerability was reported in Debian CVE-2010-0290.
The BIND 9 Out-Of-Bailiwick Data Cache Poisoning Vulnerability was reported in Debian CVE-2010-0382.
The BIND 9 DNSSEC Query Response Additional Section Remote Cache Poisoning vulnerability was reported in Bugtraq ID 37118.
The BIND 9 OpenSSL DSA certificate validation bypass was reported in OpenSSL Security Advisory 2009-01-07.
The BIND 9.6 EVP_VerifyFinal validation bypass was reported in Slackware Linux Security Advisory SSA:2009-014-02.
The BIND 9 Dynamic Update Request Denial of Service vulnerability was reported in Bugtraq ID 35848.
The Windows Only BIND UDP Client Handler Denial of Service vulnerability was reported in Security Tracker ID 1020901.
For more information on the BIND Remote Cache Corruption Vulnerability, see Security Tracker ID 1015551.
For more information on the BIND Cache Poisoning Denial of Service vulnerability, see CERT VU#734644.
For more information on the BIND Insecure HMAC-MD5 Permissions vulnerability, see IBM XForce 6694.
For more information on the ISC BIND AXFR Query Buffer Overflow vulnerability, see IBM XForce 5462 and Exploit DB 20374.
For more information on the ISC BIND SIGINT and SIGIOT SymLink Attack, see INCIBE-CERT.
For more information on the BIND -DALLOW_UPDATES Dynamic Update vulnerability, see Microsoft TechNet.
Details on the vulnerabilities described above can be found on the BIND Vulnerabilities page, CIRC Bulletins P-113, P-114 and R-333, CERT Advisories 1997-22, 1998-05, 1999-14, 2000-20, 2001-02, 2002-15 and 2002-31, CERT 955777, Secunia Advisory SA21752, SUSE-SR:2006:026, Secunia Advisory SA25070, Secunia Advisory SA28180, Secunia Advisory SA28579 and Secunia Advisory SA30973.
For general information on securing DNS servers, see Carnegie Mellon's podcast, DNS Best Practices.