NLnet Labs Information for VU#800113

Multiple DNS implementations vulnerable to cache poisoning

Status

Not Affected

Vendor Statement

Unbound implements numerous strategies to prevent spoof protection,

those include udp port randomization,  rtt banding, source ip
randomization, and optionally, so called 0x20 query name randomization.
Besides, Unbound features an architectural element that performs sanity
checks on incoming data to prevent certain types of poisoning attempts.

Although Unbound has been built using all known protections against DNS
spoofs, the DNS protocol is inherently vulnerable to these sorts of
attacks. NLnet Labs believes that the only real solution to this problem
is the use of DNSSEC.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

None

Addendum

The vendor has also posted an additional statement about this issue at the following location:

<http://nlnetlabs.nl/publications/DNS_cache_poisoning_vulnerability.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.