search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Recursive DNS resolver implementations may follow referrals infinitely

Vulnerability Note VU#264212

Original Release Date: 2014-12-09 | Last Revised: 2015-10-27

Overview

Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.

Description

RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.

This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: "Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone."

Depending on how the resolver handles out-of-bailiwick glue records and performs simultaneous queries, it may also be possible to cause the resolver to perform a DoS attack on a target using DNS traffic.

Impact

A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.

Resolvers that follow multiple referrals at once can cause large bursts of network traffic.

Solution

Apply an update

These issues are addressed by limiting the maximum number of referrals followed and the number of simultaneous queries. See the Vendor Information section below for information about specific vendors.

Vendor Information

264212
 
Affected   Unknown   Unaffected

EfficientIP

Notified:  December 11, 2014 Updated:  May 11, 2015

Statement Date:   December 22, 2014

Status

  Affected

Vendor Statement

All products are affected if they are used as a recursive DNS server. All versions are affected. Upgrade to the latest patch of your release: 5.0.4.p1 or 5.0.3.p4.

Available releases can be downloaded at: 
http://www.efficientip.com/support-services/

Vendor Information

CVE-2014-8602 covers this vulnerability if you are running Unbound.
CVE-2014-8500 covers this vulnerability if you are running BIND.

Vendor References

Infoblox

Notified:  November 24, 2014 Updated:  December 11, 2014

Statement Date:   December 11, 2014

Status

  Affected

Vendor Statement

"All versions of NIOS prior to 6.8.13, 6.10.11, 6.11.7 and 6.12.2 are affected
by the vulnerability.

Please update to fixed versions available through the Infoblox support site or
contact Infoblox Support for further assistance.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Internet Systems Consortium

Updated:  December 09, 2014

Status

  Affected

Vendor Statement

Upgrade to the patched release most closely related to your current version of BIND.  Patched builds of currently supported branches of BIND (9.9 and 9.10) can be downloaded via http://www.isc.org/downloads

    • BIND 9 version 9.9.6-P1
    • BIND 9 version 9.10.1-P1

    Vendor Information

    This vulnerability has been fixed in the latest version of BIND. Users are encouraged to update BIND as soon as possible. This issue in BIND is assigned CVE-2014-8500.

    Vendor References

MaraDNS

Notified:  December 03, 2014 Updated:  January 26, 2015

Statement Date:   January 24, 2015

Status

  Affected

Vendor Statement

"I have released MaraDNS 2.0.10, MaraDNS 1.4.15, and Deadwood 3.2.06
which are patched against this possible vulnerability.

Downloads are available at http://maradns.samiam.org/download/ and
https://github.com/samboy/MaraDNS
".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NEC Corporation

Updated:  October 26, 2015

Status

  Affected

Vendor Statement

We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-008.html>(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NLnet Labs

Updated:  December 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2014-8602 covers this vulnerability in Unbound.

Vendor References

PowerDNS

Updated:  December 09, 2014

Status

  Affected

Vendor Statement

Upgrade to PowerDNS Recursor 3.6.2.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

CZ NIC

Notified:  December 17, 2014 Updated:  December 18, 2014

Statement Date:   December 18, 2014

Status

  Not Affected

Vendor Statement

"Knot DNS is an authoritative-only DNS and thus is not vulnerable to
this attack.  We are in early stages of development for Knot DNS
Resolver, so we will make sure that we mitigate this vulnerability.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

European Registry for Internet Domains

Notified:  December 17, 2014 Updated:  December 18, 2014

Statement Date:   December 18, 2014

Status

  Not Affected

Vendor Statement

"We are not affected by this issue as we currently do not provide a recursive resolver."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU adns

Notified:  December 03, 2014 Updated:  December 17, 2014

Statement Date:   December 17, 2014

Status

  Not Affected

Vendor Statement

"adns is a stub resolver and does not follow delegation chains
at all.  So it is not vulnerable.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GNU glibc

Updated:  December 18, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified:  December 18, 2014 Updated:  December 29, 2014

Statement Date:   December 20, 2014

Status

  Not Affected

Vendor Statement

"The Windows DNS server is "not affected" ... The Windows DNS server by default has ways to put a cap on the maximum effort it makes to resolve such chains. [Administrators] can further reduce or increase the cap as suited."

Vendor Information

The statement above refers to the following Microsoft TechNet Blog post describing how administrators may set the effort cap on the Microsoft DNS server:

http://blogs.technet.com/b/networking/archive/2014/12/15/handling-endless-delegation-chains-in-windows-dns-server.aspx

Vendor References

Nominum

Notified:  November 24, 2014 Updated:  December 09, 2014

Statement Date:   December 09, 2014

Status

  Not Affected

Vendor Statement

"Nominum servers are not vulnerable to this attack directly".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenDNS

Notified:  December 10, 2014 Updated:  December 18, 2014

Statement Date:   December 10, 2014

Status

  Not Affected

Vendor Statement

"OpenDNS is not vulnerable to this attack."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Secure64 Software Corporation

Notified:  November 24, 2014 Updated:  December 19, 2014

Statement Date:   December 19, 2014

Status

  Not Affected

Vendor Statement

""Secure64 servers are not directly vulnerable to this infinite recursion attack".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

djbdns

Notified:  December 03, 2014 Updated:  December 10, 2014

Statement Date:   December 04, 2014

Status

  Not Affected

Vendor Statement

"All versions: Not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

dnsmasq

Notified:  December 03, 2014 Updated:  December 05, 2014

Statement Date:   December 04, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

gdnsd

Notified:  December 17, 2014 Updated:  December 18, 2014

Statement Date:   December 18, 2014

Status

  Not Affected

Vendor Statement

"gdnsd is not vulnerable to this attack because it is a pure authoritative server; it never sends DNS queries to other servers."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple

Notified:  December 03, 2014 Updated:  December 03, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    Cisco Systems, Inc.

    Notified:  December 03, 2014 Updated:  December 03, 2014

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      F5 Networks, Inc.

      Notified:  November 24, 2014 Updated:  November 24, 2014

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        JH Software

        Notified:  December 17, 2014 Updated:  December 18, 2014

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor Information

        We are not aware of further vendor information regarding this vulnerability.

        View all 22 vendors View less vendors


        CVSS Metrics

        Group Score Vector
        Base 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P
        Temporal 3.4 E:POC/RL:OF/RC:C
        Environmental 3.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

        References

        Acknowledgements

        ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.

        This document was written by Garret Wassermann.

        Other Information

        CVE IDs: CVE-2014-8601, CVE-2014-8500, CVE-2014-8602
        Date Public: 2014-12-08
        Date First Published: 2014-12-09
        Date Last Updated: 2015-10-27 02:27 UTC
        Document Revision: 57

        Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.