Vulnerability Note VU#264212

Recursive DNS resolver implementations may follow referrals infinitely

Original Release date: 09 Dec 2014 | Last revised: 26 Oct 2015


Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.


RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.

This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: "Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone."

Depending on how the resolver handles out-of-bailiwick glue records and performs simultaneous queries, it may also be possible to cause the resolver to perform a DoS attack on a target using DNS traffic.


A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.

Resolvers that follow multiple referrals at once can cause large bursts of network traffic.


Apply an update

These issues are addressed by limiting the maximum number of referrals followed and the number of simultaneous queries. See the Vendor Information section below for information about specific vendors.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
EfficientIPAffected11 Dec 201411 May 2015
InfobloxAffected24 Nov 201411 Dec 2014
Internet Systems ConsortiumAffected-09 Dec 2014
MaraDNSAffected03 Dec 201426 Jan 2015
NEC CorporationAffected-26 Oct 2015
NLnet LabsAffected-09 Dec 2014
PowerDNSAffected-09 Dec 2014
CZ NICNot Affected17 Dec 201418 Dec 2014
djbdnsNot Affected03 Dec 201410 Dec 2014
dnsmasqNot Affected03 Dec 201405 Dec 2014
European Registry for Internet DomainsNot Affected17 Dec 201418 Dec 2014
gdnsdNot Affected17 Dec 201418 Dec 2014
GNU adnsNot Affected03 Dec 201417 Dec 2014
GNU glibcNot Affected-18 Dec 2014
Microsoft CorporationNot Affected18 Dec 201429 Dec 2014
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 3.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND



ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information


If you have feedback, comments, or additional information about this vulnerability, please send us email.