How to find BIND services on your network

Latest BIND vulnerabilities #

Internet Systems Consortium (ISC) has disclosed multiple vulnerabilities affecting certain versions of ISC BIND:

• A cache poisoning vulnerability related to unsolicited resource records (RRs) - records in a DNS response that were not directly requested by a query - is possible under certain circumstances. This vulnerability exists because BIND is too lenient when accepting such records from answers. Successful exploitation allows a remote, unauthenticated adversary to inject forged records into the cache during a query. This can affect the resolution of future queries, potentially hijacking traffic. This vulnerability has been designated CVE-2025-40778 and has been rated high with a CVSS score of 8.6.
• A cache poisoning vulnerability exists due to a weakness in the pseudo-random number generator (PRNG). This weakness allows a remote, unauthenticated adversary to predict the source port and query ID that BIND will use. In specific circumstances, BIND can be tricked into caching spoofed responses from an adversary. This vulnerability has been designated CVE-2025-40780 and has been rated high with a CVSS score of 8.6.
• A resource exhaustion vulnerability exists due to flaws in handling malformed DNSKEY records. Successful exploitation allows a remote, unauthenticated adversary to query for records within a specially crafted zone containing such records. This causes the server to consume excessive CPU resources, overwhelming it and significantly impacting performance, which leads to a denial-of-service (DoS) for legitimate clients. This vulnerability has been designated CVE-2025-8677 and has been rated high with a CVSS score of 7.5.

Authoritative services are believed to be unaffected by these vulnerabilities; however, resolvers are affected.

The following versions are affected:

• BIND versions 9.11.0 through 9.16.50
  • Note: This range is only affected by CVE-2025-40778 and CVE-2025-40780. The latter (CVE-2025-40780) only affects versions 9.16.0 through 9.16.50.
• BIND versions 9.18.0 through 9.18.39
• BIND versions 9.20.0 through 9.20.13
• BIND versions 9.21.0 through 9.21.12
• BIND Supported Preview Edition versions 9.11.3-S1 through 9.16.50-S1
  • Note: This range is only affected by CVE-2025-40778 and CVE-2025-40780. The latter (CVE-2025-40780) only affects versions 9.16.8-S1 through 9.16.50-S1.
• BIND Supported Preview Edition versions 9.18.11-S1 through 9.18.39-S1
• BIND Supported Preview Edition versions 9.20.9-S1 through 9.20.13-S1

Note: BIND versions prior to 9.11.0 were not specifically assessed, but are also believed to be affected.

What is BIND? #

ISC BIND is open-source software, maintained by the Internet Systems Consortium (ISC), that implements the Domain Name System (DNS), which is the foundational protocol for translating human-readable domain names into IP addresses.

What is the impact? #

Successful exploitation of the vulnerabilities would allow an adversary to affect the resolution of future queries, thereby potentially hijacking traffic, and disrupt service operation for legitimate clients.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

• BIND versions 9.11.x through 9.18.x upgrade to version 9.18.41 or later
• BIND versions 9.20.x upgrade to version 9.20.15 or later
• BIND versions 9.21.x upgrade to version 9.21.14 or later
• BIND Supported Preview Edition versions 9.11.3-S1 through 9.18.39-S1 upgrade to version 9.18.41-S1 or later
• BIND Supported Preview Edition versions 9.20.9-S1 through 9.20.13-S1 upgrade to version 9.20.15-S1 or later

How to find potentially vulnerable systems with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=ISC AND product:=BIND AND (version:>0 AND (
  (version:>=9 AND version:<9.11.0) OR
  (version:>=9.11.0 AND version:<=9.16.50) OR
  (version:>=9.18.0 AND version:<=9.18.39) OR
  (version:>=9.20.0 AND version:<=9.20.13) OR
  (version:>=9.21.0 AND version:<=9.21.12) OR
  (version:>="9.11.3-S1" AND version:<="9.16.50-S1") OR
  (version:>="9.18.11-S1" AND version:<="9.18.39-S1") OR
  (version:>="9.20.9-S1" AND version:<="9.20.13-S1")))

December 2024: BIND 9.20 defect in QPzone implementation #

ISC disclosed that authoritative servers might experience assertion failures or other unexpected events when using DNSSEC-signed zones using NSEC3 in the QPzone implementation which utilizes the QPDB in-memory database. This could potentially lead to a denial-of-service. There was no CVE attached to this notice.

What was the impact? #

This issue affected all BIND versions from 9.20.0 to 9.20.4.  

Were updates or workarounds available? #

ISC stated they were not updating or withdrawing the 9.20 distributions. They did recommend the following either:

• Recompiling BIND 9.20 with --with-zonedb=RBTDB
• Installing the latest BIND 9.20.4 packages provided by ISC

How runZero users found potentially vulnerable systems #

From the Services Inventory, use the following query to locate systems running potentially vulnerable software:

product:bind and (_service.product:="%BIND:9.20.0%" or _service.product:="%BIND:9.20.1%" or _service.product:="%BIND:9.20.3%" or _service.product:="%BIND:9.20.4%")