Date: June 2024
Affecting: NLnet Labs Unbound DNS up to version 1.24.1
Severity: High (Possible DNS Hijack)
Unbound is one of the most popular DNS resolvers in Linux and *nix world, trusted for its speed and security. However, a recent vulnerability, CVE-2025-11411, puts its users at risk of domain hijack attacks. In this article, we break down what went wrong, how the vulnerability can be exploited (with code samples!), and how you can fix or protect your DNS infrastructure.
What is CVE-2025-11411? (In Plain English)
Attackers can exploit a flaw in how Unbound handles “extra” NS records (known as NS RRSets) in DNS replies. Specifically, if a malicious user tricks Unbound into accepting false records about which servers control a domain, Unbound will update its records. From then on, all lookups for that domain can be pointed anywhere the attacker wants.
What’s affected?
All versions up to and including Unbound 1.24.1.
What could happen?
Attackers could, under the right conditions, “poison” Unbound’s cache, leading to total domain hijack. This means users might be sent to fake/hostile websites without knowing it.
Technical Description
Normally, when Unbound receives DNS replies, it stores what's called an *NS RRSet* — this is just a set of records specifying which name servers are authoritative for a zone.
If extra NS records are included in the Authority section of a DNS response, Unbound was being too trusting. It would often replace its delegation information (who's in charge of a zone) with any in-zone nameservers it found — even if they were unasked for or possibly forged!
Malicious actors can send DNS replies (by spoofing packets or fragmenting DNS responses) that sneak in fake NS RRSets, causing Unbound to overwrite what it knows about a zone’s DNS servers. Afterwards, the attacker has an open door to redirect DNS queries at will.
Attacker spoofs a DNS reply:
They intercept or guess a legit DNS query and craft a forged reply.
Promiscuous NS RRSets added:
They slip in “unsolicited” NS records in the Authority section, pointing at *their* nameservers.
Unbound updates its records:
Because older Unbound versions trust in-zone NS data, they update their cache, believing the new servers are legitimate.
Victim is redirected:
Further DNS queries to that domain are sent to the attacker’s servers, allowing phishing, data theft, or man-in-the-middle attacks.
Here’s what an attacker-crafted DNS response might look like in scapy for Python
from scapy.all import *
dns_resp = (IP(src="8.8.8.8", dst="victim_dns")
/ UDP(sport=53, dport=33333)
/ DNS(id=xAAAA, qr=1, aa=1, qd=DNSQR(qname="example.com"),
an=DNSRR(rrname="example.com", type="A", rdata="192..2.123"),
ns=DNSRR(rrname="example.com", type="NS", rdata="ns1.malicious.com"),
ar=DNSRR(rrname="ns1.malicious.com", type="A", rdata="203..113.10")))
send(dns_resp)
The attacker forges a response
- Includes a bogus NS RRSet: “example.com NS ns1.badguy.com”
- Optionally, includes an A record tying ns1.badguy.com to their own IP.
References & Discussion
- Official Unbound Security Advisory (CVE-2025-11411)
- NLnet Labs Unbound Release Notes (1.24.1 and 1.24.2)
- NIST National Vulnerability Database - CVE-2025-11411
Short answer: Update Unbound.
- Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets and their address records from all replies.
- Unbound 1.24.2 strengthens this further, scrubbing NS RRSets from YXDOMAIN and non-referral "nodata" replies.
No update possible?
Restrict who can communicate directly with your DNS resolver (firewalls).
- Monitor and log abnormal/unauthorized changes to NS records in logs.
Config check:
If you're running Unbound, check your version
unbound -V
If you see version <= 1.24.1, *update immediately*.
Update instructions
sudo apt update
sudo apt install unbound
(Or use your distro’s package manager.)
If you run Unbound, this is not a drill: patch now!
*Stay safe, and monitor your DNS infrastructure closely.*
Exclusive writeup by GPT-4
*If sharing, please credit and link back to official NLnet Labs resources*
Timeline
Published on: 10/22/2025 13:15:29 UTC
Last modified on: 12/05/2025 11:15:49 UTC