Vulnerability Note VU#264212
Recursive DNS resolver implementations may follow referrals infinitely
Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.
RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.
This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: "Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone."
A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|EfficientIP||Affected||11 Dec 2014||11 May 2015|
|Infoblox||Affected||24 Nov 2014||11 Dec 2014|
|Internet Systems Consortium||Affected||-||09 Dec 2014|
|MaraDNS||Affected||03 Dec 2014||26 Jan 2015|
|NEC Corporation||Affected||-||26 Oct 2015|
|NLnet Labs||Affected||-||09 Dec 2014|
|PowerDNS||Affected||-||09 Dec 2014|
|CZ NIC||Not Affected||17 Dec 2014||18 Dec 2014|
|djbdns||Not Affected||03 Dec 2014||10 Dec 2014|
|dnsmasq||Not Affected||03 Dec 2014||05 Dec 2014|
|European Registry for Internet Domains||Not Affected||17 Dec 2014||18 Dec 2014|
|gdnsd||Not Affected||17 Dec 2014||18 Dec 2014|
|GNU adns||Not Affected||03 Dec 2014||17 Dec 2014|
|GNU glibc||Not Affected||-||18 Dec 2014|
|Microsoft Corporation||Not Affected||18 Dec 2014||29 Dec 2014|
CVSS Metrics (Learn More)
ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2014-8601 CVE-2014-8500 CVE-2014-8602
- Date Public: 08 Dec 2014
- Date First Published: 09 Dec 2014
- Date Last Updated: 26 Oct 2015
- Document Revision: 57
If you have feedback, comments, or additional information about this vulnerability, please send us email.