The DNS protocol in RFC 1035 and updates allows remote attackers to cause a
denial of service (resource consumption) by arranging for DNS queries to be
accumulated for seconds, such that responses are later sent in a pulsing
burst (which can be considered traffic amplification in some cases), aka
the “DNSBomb” issue.
Notes
Author |
Note |
|
Priority reason: Upstream Unbound project has rated this as having a low security impact. |
mdeslaur |
Unbound itself is not vulnerable to the DNSBomb attack, but can be used to participate in one. The commit below adds some new options to make the impact from Unbound significantly lower. Backporting the commit to mantic and lower is intrusive and may introduce regressions. |