search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Recursive DNS resolver implementations may follow referrals infinitely

Vulnerability Note VU#264212

Original Release Date: 2014-12-09 | Last Revised: 2015-10-27

Overview

Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.

Description

RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.

This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: "Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone."

Depending on how the resolver handles out-of-bailiwick glue records and performs simultaneous queries, it may also be possible to cause the resolver to perform a DoS attack on a target using DNS traffic.

Impact

A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.

Resolvers that follow multiple referrals at once can cause large bursts of network traffic.

Solution

Apply an update

These issues are addressed by limiting the maximum number of referrals followed and the number of simultaneous queries. See the Vendor Information section below for information about specific vendors.

Vendor Information

264212
Expand all

EfficientIP

Notified:  December 11, 2014 Updated:  May 11, 2015

Statement Date:   December 22, 2014

Status

  Affected

Vendor Statement

All products are affected if they are used as a recursive DNS server. All versions are affected. Upgrade to the latest patch of your release: 5.0.4.p1 or 5.0.3.p4.

Available releases can be downloaded at: 
http://www.efficientip.com/support-services/

Vendor Information

CVE-2014-8602 covers this vulnerability if you are running Unbound.
CVE-2014-8500 covers this vulnerability if you are running BIND.

Vendor References

http://www.efficientip.com/support-services/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Infoblox

Notified:  November 24, 2014 Updated:  December 11, 2014

Statement Date:   December 11, 2014

Status

  Affected

Vendor Statement

"All versions of NIOS prior to 6.8.13, 6.10.11, 6.11.7 and 6.12.2 are affected
by the vulnerability.

Please update to fixed versions available through the Infoblox support site or
contact Infoblox Support for further assistance.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Systems Consortium

Updated:  December 09, 2014

Status

  Affected

Vendor Statement

Upgrade to the patched release most closely related to your current version of BIND.  Patched builds of currently supported branches of BIND (9.9 and 9.10) can be downloaded via http://www.isc.org/downloads

    • BIND 9 version 9.9.6-P1
    • BIND 9 version 9.10.1-P1

    Vendor Information

    This vulnerability has been fixed in the latest version of BIND. Users are encouraged to update BIND as soon as possible. This issue in BIND is assigned CVE-2014-8500.

    Vendor References

    https://kb.isc.org/article/AA-01216/0

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

MaraDNS

Notified:  December 03, 2014 Updated:  January 26, 2015

Statement Date:   January 24, 2015

Status

  Affected

Vendor Statement

"I have released MaraDNS 2.0.10, MaraDNS 1.4.15, and Deadwood 3.2.06
which are patched against this possible vulnerability.

Downloads are available at http://maradns.samiam.org/download/ and
https://github.com/samboy/MaraDNS
".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://maradns.samiam.org/download/ https://github.com/samboy/MaraDNS https://github.com/samboy/MaraDNS/commit/1f694df9fb972d59d77167fff9bbdd095dc5d1b4 https://github.com/samboy/MaraDNS/commit/c5c49306ed1f2627774dae27313a2b58d9a9ac6d

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Updated:  October 26, 2015

Status

  Affected

Vendor Statement

We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-008.html>(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://jpn.nec.com/security-info/secinfo/nv15-008.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NLnet Labs

Updated:  December 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

CVE-2014-8602 covers this vulnerability in Unbound.

Vendor References

https://unbound.net/downloads/CVE-2014-8602.txt

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PowerDNS

Updated:  December 09, 2014

Status

  Affected

Vendor Statement

Upgrade to PowerDNS Recursor 3.6.2.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://blog.powerdns.com/2014/12/08/powerdns-security-notification-2014-02/ http://doc.powerdns.com/md/security/powerdns-advisory-2014-02/

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CZ NIC

Notified:  December 17, 2014 Updated:  December 18, 2014

Statement Date:   December 18, 2014

Status

  Not Affected

Vendor Statement

"Knot DNS is an authoritative-only DNS and thus is not vulnerable to
this attack.  We are in early stages of development for Knot DNS
Resolver, so we will make sure that we mitigate this vulnerability.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

European Registry for Internet Domains

Notified:  December 17, 2014 Updated:  December 18, 2014

Statement Date:   December 18, 2014

Status

  Not Affected

Vendor Statement

"We are not affected by this issue as we currently do not provide a recursive resolver."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU adns

Notified:  December 03, 2014 Updated:  December 17, 2014

Statement Date:   December 17, 2014

Status

  Not Affected

Vendor Statement

"adns is a stub resolver and does not follow delegation chains
at all.  So it is not vulnerable.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU glibc

Updated:  December 18, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  December 18, 2014 Updated:  December 29, 2014

Statement Date:   December 20, 2014

Status

  Not Affected

Vendor Statement

"The Windows DNS server is "not affected" ... The Windows DNS server by default has ways to put a cap on the maximum effort it makes to resolve such chains. [Administrators] can further reduce or increase the cap as suited."

Vendor Information

The statement above refers to the following Microsoft TechNet Blog post describing how administrators may set the effort cap on the Microsoft DNS server:

http://blogs.technet.com/b/networking/archive/2014/12/15/handling-endless-delegation-chains-in-windows-dns-server.aspx

Vendor References

http://blogs.technet.com/b/networking/archive/2014/12/15/handling-endless-delegation-chains-in-windows-dns-server.aspx

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nominum

Notified:  November 24, 2014 Updated:  December 09, 2014

Statement Date:   December 09, 2014

Status

  Not Affected

Vendor Statement

"Nominum servers are not vulnerable to this attack directly".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenDNS

Notified:  December 10, 2014 Updated:  December 18, 2014

Statement Date:   December 10, 2014

Status

  Not Affected

Vendor Statement

"OpenDNS is not vulnerable to this attack."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure64 Software Corporation

Notified:  November 24, 2014 Updated:  December 19, 2014

Statement Date:   December 19, 2014

Status

  Not Affected

Vendor Statement

""Secure64 servers are not directly vulnerable to this infinite recursion attack".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

djbdns

Notified:  December 03, 2014 Updated:  December 10, 2014

Statement Date:   December 04, 2014

Status

  Not Affected

Vendor Statement

"All versions: Not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

dnsmasq

Notified:  December 03, 2014 Updated:  December 05, 2014

Statement Date:   December 04, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

gdnsd

Notified:  December 17, 2014 Updated:  December 18, 2014

Statement Date:   December 18, 2014

Status

  Not Affected

Vendor Statement

"gdnsd is not vulnerable to this attack because it is a pure authoritative server; it never sends DNS queries to other servers."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  December 03, 2014 Updated:  December 03, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Notified:  December 03, 2014 Updated:  December 03, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks, Inc.

Notified:  November 24, 2014 Updated:  November 24, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

JH Software

Notified:  December 17, 2014 Updated:  December 18, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P
Temporal 3.4 E:POC/RL:OF/RC:C
Environmental 3.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2014-8601, CVE-2014-8500, CVE-2014-8602
Date Public: 2014-12-08
Date First Published: 2014-12-09
Date Last Updated: 2015-10-27 02:27 UTC
Document Revision: 57

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.