Andrew Skalski

**Name of the Vulnerable Software and Affected Versions** BIND 9 versions 9.9.12 through 9.9.12-S2 BIND 9 versions 9.10.7 through 9.10.7-S1 BIND 9 versions 9.11.3 through 9.11.3-S2 BIND 9 versions 9.12.0 through 9.12.1-P2 BIND 9 version 9.13.0 **Description** The issue is related to the `bin/named/server.c` component of the DNS BIND server, which lacks protection for service data. This could allow a remote attacker to gain unauthorized access to protected information. The problem affects the recursive query permission settings, potentially allowing unauthorized clients to make recursive queries to a BIND nameserver. This can lead to increased server load, participation in DNS reflection attacks, and potential leakage of private information about previously serviced queries. **Recommendations** For BIND 9 versions 9.9.12 through 9.9.12-S2, update the `allow-recursion` setting to explicitly define permitted clients. For BIND 9 versions 9.10.7 through 9.10.7-S1, review and update the `allow-query-cache` or `allow-query` settings to ensure proper inheritance of `allow-recursion` values. For BIND 9 versions 9.11.3 through 9.11.3-S2, verify that `recursion yes` is in effect and set `allow-recursion` to the intended default of `{localhost; localnets;}` if no match list values are provided for `allow-query-cache` or `allow-query`. For BIND 9 versions 9.12.0 through 9.12.1-P2, and version 9.13.0, consider disabling recursive queries for unauthorized clients as a temporary workaround until a patch is available.