BIND DNS V9 DNS64 and RPZ DoS Vulnerability

Version 9 of the BIND DNS platform which uses both DNS64 and RPZ are susceptible to denial of service (DoS) attacks. When the vulnerability is exploited, a remote attacker may cause the ‘named’ process to terminate.

Threat ID:: CC-1175
Category:: DOS
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 16 February 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Berkeley Internet Name Domain (BIND) System

• ISC BIND Versions from
• 9.9.3 to 9.9.9-P5
• 9.10.0 to 9.10.4-P5
• 9.11.0 to 9.11.0-P2

Threat details

Only servers which are configured to simultaneously use both Response Policy Zones (RPZ) and DNS64 can be affected by this vulnerability.

DNS64 is often used where an IPv6 only client needs to receive an IPv6 address via an IPv4 proxy address.

The RPZ is used by recursive resolvers to allow for the customised handling of the resolution of collections of domain name information. When this condition occurs, it will result in either an INSIST assertion failure (and subsequent abort) or an attempt to read through a NULL pointer. On most platforms, a NULL pointer read leads to a segmentation fault which causes the process to be terminated. In both cases the failures will usually lead to a denial of service event.

Remediation steps

Type	Step
	Ensure both DNS64 or RPZ is disabled if not in use (this is the default configuration). Upgrade to the later versions of BIND including: BIND 9 version 9.9.9-P6, BIND 9 version 9.10.4-P6, BIND version 9.11.0-P3. Restrict the contents of the policy zone to stop unauthorised usage or change.

Last edited: 17 February 2020 11:27 am