JVN#40208370: XACK DNS vulnerable to denial-of-service (DoS)

XACK DNS is DNS server software provided by XACK, Inc. XACK DNS contains a denial-of-service (DoS) vulnerability due to an issue commonly referred to as NXNSAttack.

Impact

A remote attacker may be able to cause denial-of-service (DoS) conditions listed below.

• The performance of the recursive resolver can potentially be degraded by the additional work required to perform fetches
• An attacker can exploit this behavior to use the recursive resolver as a reflector in a reflection attack

Solution

Update the software
Apply the appropriate update according to the information provided by the developer.

• XACK DNS 1.11.5
• XACK DNS 1.10.9
• XACK DNS 1.8.24
• XACK DNS 1.7.19

If you use the version 1.6.x and earlier, update the software to the latest version.

Applying this update adds a new configuration item, cache_ns_name_limit, that limits the number of queries to authoritative DNS servers for processing delegation information during full resolver name resolution.

Apply a workaround
If the latest version of software cannot be obtained or software update cannot be applied, applying the workaround listed below may mitigate the impacts of this vulnerability.

• Set cache_recursion_limit to a smaller value
  The developer states this setting works for all domains including root and top-level domains, but setting it too small may lower the success rate of name resolution.

Products Affected

Any of the following XACK DNS versions that use the cache server feature (full resolver configuration is set) are affected:

• XACK DNS 1.11.0 to 1.11.4
• XACK DNS 1.10.0 to 1.10.8
• XACK DNS 1.8.0 to 1.8.23
• XACK DNS 1.7.0 to 1.7.18
• XACK DNS versions before 1.7.0