Jun Li

**Name of the Vulnerable Software and Affected Versions** ISC BIND 9 versions 9.1.1 through 9.8.1-P1 ISC BIND 9 version 9.7.0 ISC BIND 9 version 9.7.2 **Description** The issue allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack. This occurs because the resolver in ISC BIND 9 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query. The estimated number of potentially affected devices is not specified. However, the issue has been leveraged for DNS tunneling in various campaigns, including those by Darkhydrus, Oilrig, and Cobalt katana, targeting educational institutions, network infrastructure, and cloud environments across APAC, America, EMEA, and Japan. **Recommendations** For ISC BIND 9 versions 9.1.1 through 9.8.1-P1, consider updating to a version that is not affected by this issue. For ISC BIND 9 version 9.7.0, consider updating to a version that is not affected by this issue. For ISC BIND 9 version 9.7.2, consider updating to a version that is not affected by this issue. As a temporary workaround, consider restricting the use of the resolver function to minimize the risk of exploitation.