Vulnerability Note VU#714121
Incorrect NXDOMAIN responses from AAAA queries could cause denial-of-service conditions
Some DNS servers respond with an inappropriate error message if queried for nonexistent AAAA records, which can lead to possible denial of service.
Some DNS servers respond with a "Name Error" response code (NXDOMAIN, RCODE 3) instead of "No Error" (RCODE 0) when queried for a nonexistent AAAA record. (AAAA records are used to provide name-to-address resolution for IPv6 addresses, as described in RFC1886.)
When an NXDOMAIN response code is received, the querying resolver will usually stop attempting to resolve that name. Resolvers that support negative caching (RFC2308) and receive an NXDOMAIN response will not query for A records for the same resource until the negatively cached error response has expired.
An attacker could create a localized denial-of-service condition by exploting this vulnerability.
Apply a patch from your vendor.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Cisco Systems Inc.||Affected||21 Mar 2003||23 May 2003|
|F5 Networks||Not Affected||21 Mar 2003||23 May 2003|
|djbdns||Unknown||21 Mar 2003||21 Mar 2003|
|ISC||Unknown||21 Mar 2003||21 Mar 2003|
|Microsoft Corporation||Unknown||21 Mar 2003||21 Mar 2003|
|Openwall GNU/*/Linux||Unknown||21 Mar 2003||21 Mar 2003|
CVSS Metrics (Learn More)
This document was written by Allen D Householder.
- CVE IDs: Unknown
- Date Public: 24 Feb 2003
- Date First Published: 26 Mar 2003
- Date Last Updated: 23 May 2003
- Severity Metric: 9.79
- Document Revision: 10
If you have feedback, comments, or additional information about this vulnerability, please send us email.