NLnet Labs Information for VU#800113
Multiple DNS implementations vulnerable to cache poisoning
Unbound implements numerous strategies to prevent spoof protection,
those include udp port randomization, rtt banding, source ip
randomization, and optionally, so called 0x20 query name randomization.
Besides, Unbound features an architectural element that performs sanity
checks on incoming data to prevent certain types of poisoning attempts.
Although Unbound has been built using all known protections against DNS
spoofs, the DNS protocol is inherently vulnerable to these sorts of
attacks. NLnet Labs believes that the only real solution to this problem
is the use of DNSSEC.
We are not aware of further vendor information regarding this vulnerability.
The vendor has also posted an additional statement about this issue at the following location:
If you have feedback, comments, or additional information about this vulnerability, please send us email.