Cisco Systems Inc. Information for VU#714121

Incorrect NXDOMAIN responses from AAAA queries could cause denial-of-service conditions



Vendor Statement

The Cisco Content Service Switch (CSS) 11000 and 11500 series switches respond
to certain Domain Name Service (DNS) name server record requests with an error
code and no Start of Authority (SOA) records, which can be negatively cached by
some DNS name servers resulting in a potential denial-of-service attack for a
particular domain name hosted by a CSS. To be affected by this vulnerability,
CSS devices must be configured for Global Server Load Balancing. The CERT/CC
issued a vulnerability note on this issue (VU#714121). Cisco is providing
repaired software, and customers are urged to upgrade to repaired code.

This vulnerability in CSS is documented as Cisco Bug IDs CSCdz62499 and

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.