ISC BIND 9 DNSSEC Query Response Remote Cache Poisoning
Medium Nessus Network Monitor Plugin ID 5243
SynopsisThe remote DNS Server is vulnerable to a remote cache-poisoning attack.
DescriptionThe remote DNS Server is running BIND 9 earlier than 9.4.3-P4, 9.5.2-P1, or 9.6.1-P2. Such versions may incorrectly ad records to its cache from the additional section of responses received during resolution of a recursive client query. This behavior only occurs when processing client queries with checking disabled (CD) at the same time as requesting DNSSEC records (DO).
SolutionUpgrade to BIND 9.4.3-P4 / 9.5.2-P1 / 9.6.1-P2 or later.