Patch for BIND 9.8.0 DoS Vulnerability

The other ISC ( released a patch for BIND 9.8.0. The new version, 9.8.0-P1 [1] fixes a flaw that can lead to a server crash [2]. Only version 9.8.0 is vulnerable, and only if RPZ (response policy zone) is configured.

RPZ is a new feature introduced in BIND 9.8.0. This feature allows recursive name servers to selectively modify responses according to local policies. Usually, recursive name servers will not modify responses, but just forward them to the host that sent the original request. 

In order to use RPZ in BIND 9.8.0, it has to be compiled with the "--enable-rpz-nsip" or the "--enable-rpz-nsdname" option. These options make a new configuration direction available: "response-policy".

Four different policies can be used:

1. NXDOMAIN : replace all NXDOMAIN responses with a single CNAME record. This can be used to redirect users to a default host.

2. NODATA: similar to NXDOMAIN but can be used to redirect to a wildcard record.

3. NO-OP: Does nothing, and can be used to define exceptions for which NODATA/NXDOMAIN should not apply.

4. CNAME: replaces responses that return actual data other then NXDOMAIN. This can be used to apply block lists.

To configure this feature, you define a "response-policy" zone, and then the zone file will list the detailed policies. For more details, see section of the BIND 9.8 administrator reference manual [3].


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS San Francisco Winter 2022


4600 Posts
ISC Handler
May 9th 2011

Sign Up for Free or Log In to start participating in the conversation!