search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Incorrect NXDOMAIN responses from AAAA queries could cause denial-of-service conditions

Vulnerability Note VU#714121

Original Release Date: 2003-03-26 | Last Revised: 2003-05-23

Overview

Some DNS servers respond with an inappropriate error message if queried for nonexistent AAAA records, which can lead to possible denial of service.

Description

Some DNS servers respond with a "Name Error" response code (NXDOMAIN, RCODE 3) instead of "No Error" (RCODE 0) when queried for a nonexistent AAAA record. (AAAA records are used to provide name-to-address resolution for IPv6 addresses, as described in RFC1886.)

When an NXDOMAIN response code is received, the querying resolver will usually stop attempting to resolve that name. Resolvers that support negative caching (RFC2308) and receive an NXDOMAIN response will not query for A records for the same resource until the negatively cached error response has expired.

Sites operating DNS servers that respond to queries for nonexistent AAAA records with NXDOMAIN response codes may be susceptible to attackers using other sites' caching nameservers to block those other sites' users from resolving records in domains served by the broken DNS servers. Similar attacks may be possible against caching resolvers if an attacker were able to induce the resolver to look up a nonexistent AAAA record from a server acting in this manner.

Note: The same issue occurs with A6 records. However, A6 records (RFC2874) have been deemed "Experimental" by the IETF, with preference being given to AAAA records (RFC3363, RFC3364).

This is not a new issue. The NXDOMAIN in response to a AAAA query issue was noted in the (now expired) Internet Draft
draft-itojun-jinmei-ipv6-issues-00.txt:

There are broken DNS servers that return NXDOMAIN against AAAA queries, when it should return NOERROR with empty return records.  When deploying IPv6/v4 dual stack node, it becomes problem because dual stack nodes would query AAAA first, see NXDOMAIN error, and won't try to query A records.  These broken DNS servers need to be corrected.

However, we have not seen this issue documented elsewhere as a potential denial-of-service attack vector against sites with their DNS servers broken in this manner.

Impact

An attacker could create a localized denial-of-service condition by exploting this vulnerability.

Solution

Apply a patch from your vendor.

Vendor Information

714121
Expand all

Cisco Systems Inc.

Notified:  March 21, 2003 Updated:  May 23, 2003

Status

  Vulnerable

Vendor Statement

The Cisco Content Service Switch (CSS) 11000 and 11500 series switches respond
to certain Domain Name Service (DNS) name server record requests with an error
code and no Start of Authority (SOA) records, which can be negatively cached by
some DNS name servers resulting in a potential denial-of-service attack for a
particular domain name hosted by a CSS. To be affected by this vulnerability,
CSS devices must be configured for Global Server Load Balancing. The CERT/CC
issued a vulnerability note on this issue (VU#714121). Cisco is providing
repaired software, and customers are urged to upgrade to repaired code.

This vulnerability in CSS is documented as Cisco Bug IDs CSCdz62499 and
CSCea36989.
http://www.cisco.com/warp/public/707/cisco-sa-20030430-dns.shtml

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  March 21, 2003 Updated:  May 23, 2003

Status

  Not Vulnerable

Vendor Statement

F5 Networks products contain BIND 8.2 or later, and are therefore not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ISC

Notified:  March 21, 2003 Updated:  March 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  March 21, 2003 Updated:  March 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  March 21, 2003 Updated:  March 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

djbdns

Notified:  March 21, 2003 Updated:  March 21, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This document was written by Allen D Householder.

Other Information

CVE IDs: None
Severity Metric: 9.79
Date Public: 2003-02-24
Date First Published: 2003-03-26
Date Last Updated: 2003-05-23 13:46 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.