SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#714121

Incorrect NXDOMAIN responses from AAAA queries could cause denial-of-service conditions

Overview

Some DNS servers respond with an inappropriate error message if queried for nonexistent AAAA records, which can lead to possible denial of service.

I. Description

Some DNS servers respond with a "Name Error" response code (NXDOMAIN, RCODE 3) instead of "No Error" (RCODE 0) when queried for a nonexistent AAAA record. (AAAA records are used to provide name-to-address resolution for IPv6 addresses, as described in RFC1886.)

When an NXDOMAIN response code is received, the querying resolver will usually stop attempting to resolve that name. Resolvers that support negative caching (RFC2308) and receive an NXDOMAIN response will not query for A records for the same resource until the negatively cached error response has expired.

Sites operating DNS servers that respond to queries for nonexistent AAAA records with NXDOMAIN response codes may be susceptible to attackers using other sites' caching nameservers to block those other sites' users from resolving records in domains served by the broken DNS servers. Similar attacks may be possible against caching resolvers if an attacker were able to induce the resolver to look up a nonexistent AAAA record from a server acting in this manner.

Note: The same issue occurs with A6 records. However, A6 records (RFC2874) have been deemed "Experimental" by the IETF, with preference being given to AAAA records (RFC3363, RFC3364).

This is not a new issue. The NXDOMAIN in response to a AAAA query issue was noted in the (now expired) Internet Draft
draft-itojun-jinmei-ipv6-issues-00.txt:

    There are broken DNS servers that return NXDOMAIN against AAAA queries, when it should return NOERROR with empty return records.  When deploying IPv6/v4 dual stack node, it becomes problem because dual stack nodes would query AAAA first, see NXDOMAIN error, and won't try to query A records.  These broken DNS servers need to be corrected.
However, we have not seen this issue documented elsewhere as a potential denial-of-service attack vector against sites with their DNS servers broken in this manner.

II. Impact

An attacker could create a localized denial-of-service condition by exploting this vulnerability.

III. Solution

Apply a patch from your vendor.

Systems Affected

VendorStatusDate Updated
Cisco Systems Inc.Vulnerable23-May-2003
djbdnsUnknown21-Mar-2003
F5 NetworksNot Vulnerable23-May-2003
ISCUnknown21-Mar-2003
Microsoft CorporationUnknown21-Mar-2003
Openwall GNU/*/LinuxUnknown21-Mar-2003

References


ftp://ftp.rfc-editor.org/in-notes/rfc1886.txt
ftp://ftp.rfc-editor.org/in-notes/rfc2308.txt
ftp://ftp.rfc-editor.org/in-notes/rfc2874.txt
ftp://ftp.rfc-editor.org/in-notes/rfc3363txt
ftp://ftp.rfc-editor.org/in-notes/rfc3364.txt
http://www1.ietf.org/mail-archive/ietf-announce/Current/msg19416.html

Credit

This document was written by Allen D Householder.

Other Information

Date Public02/24/2003
Date First Published03/26/2003 02:58:53 PM
Date Last Updated05/23/2003
CERT Advisory 
CVE Name 
US-CERT Technical Alerts 
Metric9.79
Document Revision10

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader