NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.
NLnet Labs Unbound versions 1.16.2 through 1.25.0 are vulnerable to ghost domain name attacks that can extend the cached TTL window for NS records. An attacker controlling a ghost zone can manipulate DNS caching to prolong domain hijacking attacks.
تؤثر هذه الثغرة على خوادم DNS التي تستخدم NLnet Labs Unbound وتسمح للمهاجمين بتمديد نافذة هجوم أسماء النطاقات الشبحية من خلال التلاعب بقيم TTL المخزنة مؤقتاً. يمكن لمستعلم واحد أو استعلام NS ضمني أن يسبب في الكتابة فوق سجلات NS المنتهية الصلاحية بسجلات من جانب الطفل.
NLnet Labs Unbound versions 1.16.2 through 1.25.0 are vulnerable to ghost domain name attacks that can extend the cached TTL window for NS records. An attacker controlling a ghost zone can manipulate DNS caching to prolong domain hijacking attacks.
Upgrade NLnet Labs Unbound to version 1.25.1 or later immediately. For organizations unable to upgrade immediately, implement strict access controls to limit NS queries and consider enabling harden-referral-path configuration with caution after testing. Monitor DNS query logs for suspicious NS record queries targeting ghost domains.
قم بترقية NLnet Labs Unbound إلى الإصدار 1.25.1 أو أحدث فوراً. للمنظمات غير القادرة على الترقية فوراً، طبق ضوابط وصول صارمة لتقييد استعلامات NS وفكر في تفعيل إعدادات harden-referral-path مع الحذر بعد الاختبار. راقب سجلات استعلامات DNS للاستعلامات المريبة المستهدفة للنطاقات الشبحية.