Internet Systems Consortium Information for VU#800113

Multiple DNS implementations vulnerable to cache poisoning



Vendor Statement

ISC is providing patches for BIND 9.3, 9.4 and 9.5 (tagged -P1) that
implement measures to enhance resilience against this sort of attack.
BIND accomplishes this by including the use of the source port queries
as additional information that would need to be predicted by a
successful attack.

ISC is also making beta releases, BIND 9.5.1b1 and 9.4.3b2 available
for download and testing.  These beta releases provide the same
improved resiliency as the patches but with better performance for
servers with query volumes at or above 10,000 queries per second.
They are however betas, not fully tested production releases. The
patches,(P1 versions), are fully tested today and released for
production use.  Older versions of BIND 9 and BIND 8 will not be
patched as they are EOL.

ISC notes that even with these measures, the nature of the DNS
protocol is such that attacks of this nature may still succeed. The
only solution to fully counter this sort of attack is to deploy DNSSEC
in DNS zones and enable DNSSEC validation in the resolvers.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References



There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.