Recursive DNS resolvers may become stuck following an infinite chain of referrals due to a malicious authoritative server.
RFC 1034 describes the standard technical issues of enabling domain delegations in DNS, but does not provide a specific implementation, leaving DNS servers to provide their own methods to implement RFC 1034. In some implementations of recursive resolvers, a query to a malicious authoritative server may cause the resolver to follow an infinite chain of referrals. Attempting to follow the infinite chain can cause a denial-of-service (DoS) situation on the DNS resolver due to resource exhaustion.
This issue primarily affects recursive resolvers. Additionally, as noted in ISC Security Advisory AA-01216: "Authoritative servers can be affected if an attacker can control a delegation traversed by the authoritative server in servicing the zone."
A recursive DNS resolver following an infinite chain of referrals can result in high process memory and CPU usage and eventually process termination. The effect can range from increased server response time to clients to complete interruption of the service.
Apply an update
Internet Systems Consortium
European Registry for Internet Domains
Secure64 Software Corporation
Cisco Systems, Inc.
F5 Networks, Inc.
ISC would like to thank Florian Maury (ANSSI) for discovering and reporting this vulnerability.
This document was written by Garret Wassermann.