The Infinitely Delegating Name Servers (iDNS) Attack


The French Network and Information Security Agency (ANSSI) identified a critical vulnerability in the three major open-source DNS recursive nameservers : BIND, Unbound and PowerDNS Recursor.
This vulnerability allows attackers to perform denial of service attacks against the vulnerable implementations or to take advantage of the vulnerable implementations to perform distributed denial of service attacks against third parties, with a significant packet amplification factor.

All unpatched versions of the affected software are vulnerable. The patched versions are BIND 9.9.6-P1, BIND 9.10.1-P1, Unbound 1.5.1 and PowerDNS Recursor 3.6.2. No workaround exists to avoid the risk altogether. However, some workarounds might exist for Unbound and PowerDNS recursor deployments to lower the probability of exploitation or the availability impact.
The ANSSI recommends network operators to update their DNS software as soon as possible.

For more information, the interested reader may read our executive summary, its technical appendix and the various security advisories that were published by the vendors : ISC, NlNet Labs, PowerDNS.

 

  • pdf

    The Infinitely Delegating Name Servers (iDNS) Attack

    56.73 Ko