DNS Warning: Critical BIND Flaws Revive Cache Poisoning Attack Threat

by ddos · October 25, 2025

The developers of BIND, the world’s most widely used domain name resolution software, have issued a warning about two critical vulnerabilities that allow attackers to tamper with DNS query results and redirect users to fraudulent websites that appear indistinguishable from legitimate ones.

The flaws, tracked as CVE-2025-40778 and CVE-2025-40780, both carry a high severity score of 8.6. The first stems from a logical error in DNS response handling, while the second involves a weakness in pseudo-random number generation. Patches addressing both issues were released on Wednesday. Similar vulnerabilities were also identified in the Unbound resolver, which received a moderate rating of 5.6.

Both flaws enable DNS cache poisoning, allowing attackers to replace legitimate IP addresses with malicious ones—an echo of the infamous DNS infrastructure attack revealed by researcher Dan Kaminsky in 2008. At the time, Kaminsky demonstrated that by flooding a resolver with forged UDP packets, an attacker could match transaction identifiers and substitute IP addresses for any domain, including those of Google or Bank of America.

Digital paranoia is the new common sense.
Follow us for more insights.

In response to Kaminsky’s discovery, the industry adopted defensive measures, notably implementing randomized port selection instead of using the fixed port 53—greatly increasing entropy and making brute-force matching nearly impossible.

However, the new CVE-2025-40780 vulnerability once again weakens these defenses. According to BIND’s developers, flaws in the internal pseudo-random number generator could allow an attacker to predict the port number and query identifier used by the resolver, enabling the injection of forged responses.

The second flaw, CVE-2025-40778, arises from insufficient validation of received records. In certain cases, BIND may accept spoofed data, allowing attackers to insert fake DNS entries into the cache and influence subsequent queries.

Although these vulnerabilities do not pose a threat on the scale of the Kaminsky attack, their potential impact remains significant. Authoritative DNS servers are not affected, but resolvers within corporate networks remain at risk—particularly those lacking layered security measures.

Red Hat noted that exploitation is technically challenging, as it requires network spoofing, precise timing synchronization, and does not result in full server compromise. Nonetheless, the company strongly recommends immediate patching.

Modern protections such as DNSSEC, rate limiting, and firewalls continue to effectively mitigate most such attacks. Yet for organizations still running outdated versions of BIND or Unbound without signed records, the risk remains tangible.

Updated packages are now available for download from the ISC and NLnet Labs websites.