Governance & Risk Management , Patch Management

US CISA Urges BIND 9 Users to Address New DNS Exploits

Newly Discovered Security Flaws Can Trigger DNS Performance Issues, CISA Says
US CISA Urges BIND 9 Users to Address New DNS Exploits
New vulnerabilities in the BIND-9 DNS implementation could lead to denial-of-service attacks. (Image: Shutterstock)

Hackers could exploit newly discovered vulnerabilities affecting the Internet Systems Consortium's widely used software for managing domain name system services, warns a new advisory.

The U.S. Cybersecurity and Infrastructure Security Agency urged users and administrators to apply critical updates for the ISC's Berkeley Internet Name Domain 9, known as BIND 9, a key implementation of the Domain Name System protocol that resolves web domains.

The security advisories address multiple exploits that could lead to denial of service, including vulnerabilities that could be used to exhaust central processing unit resources and make servers unstable and prone to disruption.

BIND 9 is the "first, oldest and most commonly deployed" DNS solution, according to the ISC. A wide range of financial and academic institutions use BIND, and so do government agencies, regional and community internet service providers and major manufacturers.

DNS wasn't designed with security in mind, and similar exploits have led to continued weaknesses across the internet - along with vulnerabilities found in Border Gateway Protocol (see: Criminals, Nation-States Keep Hijacking BGP and DNS).

DNS exploits have led to high-profile attacks such as the massive distributed denial-of-service attack on Dyn's servers in 2016, which triggered a widespread disruption to sites and services such as Twitter, Reddit and Spotify (see: DDoS Attack Blamed for Massive Outages). The U.S. federal government and U.K. National Cyber Security Center have since implemented several cyber policy updates to improve security around DNS solutions and internet traffic.

The recently discovered vulnerabilities can affect BIND's resolver caches and authoritative zone databases, which can suffer from slower performance as content is added or modified, CISA said. Another exploit can lead to errors when a user requests outdated information, which causes the system to check local records. The vulnerabilities can cause additional system crashes or disruptions that affect the overall reliability and stability of BIND's DNS services, according to the advisories.


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.