Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.
RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.
This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: "Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone."
A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.
Apply an update
Internet Systems Consortium Affected
NEC Corporation Affected
NLnet Labs Affected
CZ NIC Not Affected
European Registry for Internet Domains Not Affected
GNU adns Not Affected
GNU glibc Not Affected
Microsoft Corporation Not Affected
Nominum Not Affected
OpenDNS Not Affected
Secure64 Software Corporation Not Affected
djbdns Not Affected
dnsmasq Not Affected
gdnsd Not Affected
Cisco Systems, Inc. Unknown
F5 Networks, Inc. Unknown
JH Software Unknown
ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.
This document was written by Garret Wassermann.