CVE-2006-0987: Understanding the ISC BIND Recursive Query Vulnerability, its Exploitation, and How to Prevent It

The Internet Systems Consortium (ISC) BIND (Berkeley Internet Name Domain) is a widely used Domain Name System (DNS) server that resolves domain names to IP addresses, enabling users to access resources across the internet easily. In February 2006, the Common Vulnerabilities and Exposures (CVE) project assigned the identifier CVE-2006-0987 to a vulnerability affecting the default configuration of ISC BIND versions earlier than 9.4.1-P1. This vulnerability concerns the improper handling of recursive DNS queries when configured as a caching name server, potentially enabling remote attackers to cause a denial-of-service (DoS) attack through traffic amplification using spoofed DNS queries. This post will discuss the vulnerability in depth, highlighting its impact on default configurations, its exploitation by attackers, and effective measures to prevent it.

Understanding CVE-2006-0987

The ISC BIND server may be configured as a caching name server, which maintains a local cache of DNS query results and handles the recursive resolution of domain names to IP addresses for clients. The vulnerability CVE-2006-0987 affects BIND default configurations, which enable recursive queries and return additional delegation information to arbitrary IP addresses. Recursive queries are DNS requests where the DNS server takes on the task of resolving the domain name in the query on behalf of the requesting client. The DNS server continues this process until it obtains the final response, which it then returns to the client.

The CVE-2006-0987 vulnerability exposes the caching name servers to a DoS attack by allowing remote attackers to send DNS queries with spoofed source IP addresses, amplifying traffic, and causing a significant disruption in legitimate services.

Exploitation

Attackers exploit this vulnerability by sending specially crafted DNS queries with spoofed source IP addresses to the vulnerable caching name server. Since the default configuration of BIND allows recursive queries from any IP address, the server processes the request and returns additional delegation information. In normal scenarios, the additional delegation information aids the client in further resolving the domain name. However, in an attack scenario, the attacker exploits this feature by using a spoofed source IP address in the DNS query, which causes the response to be sent to an unwitting target, causing a denial of service.

An example of a vulnerable BIND configuration snippet

options {
  directory "/var/cache/bind";
  listen-on { any; };
  allow-query { any; };
  recursion yes;
  additional-from-cache yes;
};

This configuration listens on all available IP addresses (listen-on { any; };) and allows recursive queries from any source (allow-query { any; };). Recursion and additional-from-cache options are enabled by default, making this configuration vulnerable to CVE-2006-0987.

To mitigate this vulnerability, several steps can be taken

1. Upgrade BIND to a version greater than or equal to 9.4.1-P1. The ISC has fixed this issue in these subsequent releases: Original ISC Advisory

2. Restrict recursive queries to a trusted set of clients by modifying the 'allow-query' and 'allow-recursion' directives in the BIND configuration:

options {
  directory "/var/cache/bind";
  listen-on { any; };
  allow-query { any; };
  allow-recursion { trusted_clients; };
  additional-from-cache yes;
};

Replace 'trusted_clients' with your trusted IP addresses or networks.

3. Disable additional delegation information in responses, which may reduce the possibility of traffic amplification:

options {
  directory "/var/cache/bind";
  listen-on { any; };
  allow-query { any; };
  recursion yes;
  additional-from-cache no;
};

Conclusion

CVE-2006-0987 was a significant vulnerability that affected the default configurations of ISC BIND as a caching name server. Remote attackers could exploit this vulnerability to perform DoS attacks through traffic amplification using spoofed DNS queries, causing severe disruption in services. By understanding the exploitation of the vulnerability, adequately configuring BIND to prevent recursive queries to unauthorized IP addresses, and upgrading the software to a secure version, network administrators can thwart potential DoS attacks that leverage this vulnerability.

Timeline

Published on: 03/03/2006 11:02:00 UTC
Last modified on: 10/18/2018 16:30:00 UTC