Xiang Li

**Name of the Vulnerable Software and Affected Versions** versions prior to the updated version **Description** An attacker spoofing responses to ECS-enabled requests sent by the Recursor may succeed. The updated version includes mitigations against spoofing attempts of ECS-enabled queries by chaining ECS-enabled requests and enforcing stricter validation of received responses. The most strict mitigation is enabled when the `outgoing.edns subnet harden` setting is enabled. **Recommendations** Update to the latest version to apply the mitigations. Enable the `outgoing.edns subnet harden` setting.

**Name of the Vulnerable Software and Affected Versions** Unbound (affected versions not specified) **Description** A multi-vendor cache poisoning vulnerability, named 'Rebirthday Attack', has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is vulnerable when compiled with ECS support (i.e., '--enable-subnet') and configured to send ECS information to upstream name servers (i.e., at least one of the 'send-client-subnet', 'client-subnet-zone', or 'client-subnet-always-forward' options is used). This allows malicious actors to potentially match DNS transaction IDs and cache poisonous replies. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Technitium versions through 11.0.2 **Description** An issue in the forwarding mode enables attackers to create a query loop using Technitium resolvers, launching amplification attacks and potentially causing denial-of-service (DoS). **Recommendations** For versions through 11.0.2, consider disabling the forwarding mode as a temporary workaround to prevent query loop attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CoreDNS versions through 1.10.1 **Description** An issue was discovered in DNS resolving software, which triggers a resolver to ignore valid responses, thus causing denial of service for normal resolution. In an exploit, the attacker could forge a response targeting the source port of a vulnerable resolver without the need to guess the correct TXID. **Recommendations** For CoreDNS versions through 1.10.1, update to a version later than 1.10.1 to resolve the issue. At the moment, there is no information about additional mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CoreDNS versions 1.10.1 and earlier **Description** The issue allows attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack, enabling them to manipulate DNS responses. **Recommendations** For CoreDNS versions 1.10.1 and earlier, update to a version later than 1.10.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Technitium versions through 11.0.3 **Description** The issue enables attackers to conduct a DNS cache poisoning attack, allowing them to inject fake responses within 1 second. **Recommendations** For versions through 11.0.3, update to a version that contains a fix for this issue to prevent DNS cache poisoning attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Technitium versions through 11.0.2 **Description** An issue in the software enables attackers to launch amplification attacks, potentially causing denial-of-service (DoS) with an amplification factor three times higher than other software like BIND. **Recommendations** For versions through 11.0.2, update to a version later than 11.0.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Unbound (affected versions not specified) **Description** The issue is related to the DNS protocol, which allows remote attackers to cause a denial of service by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst. This can be considered traffic amplification in some cases, also known as the "DNSBomb" issue. The attack works by sending a slow stream of modified DNS requests to DNS servers, which relay the data, increasing the packet size and holding it to then release all at once in a burst of DNS traffic directly at the target. The research group claims to have tested their technique on 10 major DNS programs and 46 public DNS services and was able to launch DNSBomb at a rate of up to 8.7 Gbit/s, with DNS traffic increased up to 20,000 times its original size. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to errors in the representation of information by the user interface in the Windows DNS service. This can allow a remote attacker to conduct spoofing attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** c-ares versions prior to 1.19.1 **Description** The issue is related to a denial of service vulnerability in the c-ares library, which is an asynchronous resolver library. It occurs when a target resolver sends a query, and an attacker forges a malformed UDP packet with a length of 0, causing the target resolver to interpret the 0 length as a graceful shutdown of the connection. This can lead to a denial of service. **Recommendations** For versions prior to 1.19.1, update to version 1.19.1 to resolve the issue. As a temporary workaround, consider restricting the handling of UDP packets with a length of 0 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PowerDNS Recursor versions through 4.6.5 PowerDNS Recursor versions through 4.7.4 PowerDNS Recursor versions through 4.8.3 **Description** The issue is related to a denial of service vulnerability in PowerDNS Recursor, where authoritative servers can be marked as unavailable. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For PowerDNS Recursor versions through 4.6.5, update to a version later than 4.6.5 to resolve the issue. For PowerDNS Recursor versions through 4.7.4, update to a version later than 4.7.4 to resolve the issue. For PowerDNS Recursor versions through 4.8.3, update to a version later than 4.8.3 to resolve the issue. As a temporary workaround, consider restricting access to the PowerDNS Recursor service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Knot Resolver versions prior to 5.6.0 **Description** The issue enables attackers to consume the resolver's resources, launching amplification attacks and potentially causing a denial of service. A single client query may lead to a hundred TCP connection attempts if a DNS server closes connections without providing a response. **Recommendations** For versions prior to 5.6.0, update to version 5.6.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Technitium DNS Server versions prior to 10.0 **Description** The issue allows a self-CNAME denial-of-service attack. This occurs when a CNAME loop causes an answer to contain hundreds of records. **Recommendations** For versions prior to 10.0, update to version 10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Technitium DNS Server versions 8.0.2 and earlier **Description** An issue was discovered that allows variant V2 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names. **Recommendations** For Technitium DNS Server versions 8.0.2 and earlier, update to a version later than 8.0.2 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Technitium DNS Server versions through 8.0.2 **Description** An issue was discovered that allows variant V1 of unintended domain name resolution. A revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful, because the exploitation conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names. **Recommendations** For Technitium DNS Server versions through 8.0.2, update to a version that addresses this issue to prevent unintended domain name resolution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MaraDNS Deadwood versions 3.5.0021 and earlier **Description** An issue in MaraDNS Deadwood allows variant V1 of unintended domain name resolution. This means a revoked domain name can still be resolvable for a long time, including expired domains and taken-down malicious domains. The effects of an exploit would be widespread and highly impactful because it conforms to de facto DNS specifications and operational practices, and overcomes current mitigation patches for "Ghost" domain names. **Recommendations** For MaraDNS Deadwood versions 3.5.0021 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions 1.16.1 and earlier **Description** The issue is related to a novel type of the "ghost domain names" attack, where an Unbound instance is targeted. The attack works by querying Unbound for a rogue domain name when the cached delegation information is about to expire. A rogue nameserver delays the response, causing the cached delegation information to expire. Upon receiving the delayed answer, Unbound overwrites the now expired entries, allowing the rogue delegation information to be ever-updating. **Recommendations** Update to version 1.16.2 or later to fix the issue. As a temporary workaround, consider restricting access to the Unbound instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions 1.16.1 and earlier **Description** The issue is related to a novel type of "ghost domain names" attack, where an Unbound instance is targeted. This attack works by querying Unbound for a subdomain of a rogue domain name, causing the rogue nameserver to return delegation information that updates Unbound's delegation cache. This process can be repeated, keeping a rogue domain name resolvable long after revocation. The vulnerability is also described as being related to insufficient input validation, which can allow a remote attacker to cause a denial of service. **Recommendations** For NLnet Labs Unbound versions 1.16.1 and earlier, update to version 1.16.2 to fix the issue and protect against the "ghost domain names" attack. This update stores the start time for a query and uses that to decide if the cached delegation information can be overwritten, preventing the exploitation of this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Technitium DNS Server versions <= 7.0 **Description** A vulnerability in the bailiwick checking function exists that allows specific malicious users to inject `NS` records of any domain into the cache and conduct a DNS cache poisoning attack. **Recommendations** For versions <= 7.0, update to a version that fixes the bailiwick checking function issue to prevent DNS cache poisoning attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenWrt versions 19.07.x through 19.07.6 Description: A routing loop can occur when IPv6 is used, generating excessive network traffic between an affected device and its upstream ISP's router. This happens when a link prefix route points to a point-to-point link, a destination IPv6 address belongs to the prefix and is not a local IPv6 address, and a router advertisement is received with at least one global unique IPv6 prefix for which the on-link flag is set. The netifd and odhcp6c packages are affected. Recommendations: For OpenWrt versions 19.07.x through 19.07.6, update to version 19.07.7 or later to resolve the issue. As a temporary workaround, consider disabling IPv6 until a patch is available. Restrict access to the netifd and odhcp6c packages to minimize the risk of exploitation. Avoid using IPv6 prefix routes that point to point-to-point links until the issue is resolved.