BIND DNS Server Vulnerability Allows Attackers to Crash Servers with Malicious Packets

BIND 9.18, the Extended Support Version (ESV) of the world’s most widely deployed DNS software, has introduced a suite of security enhancements and support for modern encrypted DNS transports.

Notably, this release branch is the first stable BIND version to support DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT), allowing encrypted DNS queries and responses, a significant step forward for privacy and security in DNS infrastructure.

Administrators can configure limits on connections over these transports to prevent resource exhaustion, a critical feature for mixed-use systems where encrypted connections are more CPU-intensive.

The popular dig The tool has also been updated to send queries over both DoT and DoH using the +tls and +https options, respectively.

Zone transfers over TLS (XoT) are now supported, enabling secure transfer of DNS zones between servers.

However, forwarding DNS queries over DoT or DoH is not yet available, and these features are considered experimental until broader deployment is observed in production environments.

BIND 9.18 also refines Transport Layer Security (TLS) data processing, ensuring that incoming TLS data is deciphered before processing, making its behavior more predictable and robust, especially under variable network conditions.

Technical Upgrades, New Features, and Configuration Changes

BIND 9.18 introduces several technical improvements aimed at performance, reliability, and compliance with evolving standards.

Key enhancements include:

• Catalog Zones v2: Catalog zones, which are meta-zones listing other zones to be served, now support the standardized IETF schema version 2.
• This update brings improved interoperability and reliability for large-scale DNS deployments.
• Aggressive Use of DNSSEC-Validated Cache: The synth-from-dnssec feature, implementing RFC 8198, is enabled by default, allowing BIND to synthesize negative answers using NSEC records, reducing unnecessary queries and improving efficiency.
• New Configuration Options: Administrators can now fine-tune system performance with options such as tcp-receive-buffer, tcp-send-buffer, udp-receive-buffer, and udp-send-buffer. These allow precise control over OS-level buffers, crucial for high-traffic servers.
• Resource Record Limits: To mitigate denial-of-service risks, new options like max-records-per-type max-types-per-name Limit the number of resource records per name and type in zone or cache databases. The default limit is 100, but this can be adjusted for specific environments.
• RPZ and Catalog Zone Responsiveness: Response Policy Zone (RPZ) and catalog zone updates now run on specialized “offload” threads, minimizing their impact on main networking threads and enhancing the responsiveness of DNS query processing.

Deprecated and removed features include the discontinuation of native Windows support, the removal of the map zone file format, and the deprecation of several legacy configuration options and utilities, such as the auto-dnssec option and the glue-cache setting.

Bug Fixes, Known Issues, and Security Patches

BIND 9.18 has addressed numerous bugs and security vulnerabilities, including several CVEs. Highlights include:

• Security Fixes: The branch has patched vulnerabilities related to denial-of-service via excessive DNSSEC signatures (CVE-2023-50387), NSEC3 closest encloser proofs (CVE-2023-50868), and DNS-over-HTTPS flooding (CVE-2024-12705)1.
• TLS and EDNS Improvements: The software now stops caching the lack of EDNS support when spoofed responses are received, preventing DNSSEC lookup failures.
• TLS data handling has been made more robust, and partial TLS writes are now properly managed to avoid message corruption.
• Catalog Zone Stability: Several minor stability issues with catalog zone implementation have been resolved, and key management routines have been hardened to handle missing key files safely.
• Known Issues: The current release notes indicate no new major known issues, but administrators are encouraged to consult the official documentation for the latest updates and to review the list of deprecated features before upgrading.

Example Configuration Snippet

To enable DNS-over-TLS on a specific interface, an administrator might use the following in named.conf:

bashlisten-on tls 853 { any; };
tls "default" {
    cert-file "/etc/bind/tls/server.crt";
    key-file "/etc/bind/tls/server.key";
};

This configuration enables DoT on port 853 using the specified certificate and key files.

BIND 9.18 represents a significant leap in DNS server security, performance, and standards compliance.

With extended support through 2025, it is positioned as the recommended choice for organizations seeking stability, modern features, and robust security in their DNS infrastructure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates