unbound: denial of service

ID ASA-201412-8
Type archlinux
Reporter Arch Linux
Modified 2014-12-09T00:00:00


The resolver can be tricked into following an endless series of delegations, this consumes a lot of resources.

Resolvers fetch the content for domain names by sending queries to authority servers on the internet. One of the responses that authority servers can return is a referral response, which points to further servers to continue the lookup. To continue the lookup, resolvers may have to perform recursion, where new names, called glue, from the referral response have to be looked up to continue the query resolution.

The issue here is a lack of limiting on the recursion fetches performed to figure out a particular query. The authority server is a special set-up that responds with an infinite amount of glue. This then causes the resolver to spend a lot of resources diving into the infinite glue looking up names, only find out it needs to look up even more names.