CVE-2021-25220

Name of the Vulnerable Software and Affected Versions BIND versions 9.11.0 through 9.11.36 BIND versions 9.12.0 through 9.16.26 BIND versions 9.17.0 through 9.18.0 BIND Supported Preview Editions versions 9.11.4-S1 through 9.11.36-S1 BIND Supported Preview Editions versions 9.16.8-S1 through 9.16.26-S1 BIND versions prior to 9.11.0, including Supported Preview Editions, are also believed to be affected but have not been tested as they are EOL.

Description The issue is related to the handling of DNS queries, which could allow an attacker to poison the cache with incorrect records. This might lead to queries being made to the wrong servers and result in false information being returned to clients. The problem is associated with errors when using DNS forwarders.

Recommendations For BIND versions 9.11.0 through 9.11.36, update to a version outside of this range to resolve the issue. For BIND versions 9.12.0 through 9.16.26, update to a version outside of this range to resolve the issue. For BIND versions 9.17.0 through 9.18.0, update to a version outside of this range to resolve the issue. For BIND Supported Preview Editions versions 9.11.4-S1 through 9.11.36-S1, update to a version outside of this range to resolve the issue. For BIND Supported Preview Editions versions 9.16.8-S1 through 9.16.26-S1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the use of DNS forwarders to minimize the risk of cache poisoning.