NLnet Labs Unbound Domain Hijacking Vulnerability in DNS Cache Poisoning

A vulnerability allowing possible domain hijacking through DNS cache poisoning has been identified in NLnet Labs Unbound versions prior to and including 1.24.0. This issue arises from promiscuous NS RRSets that can be injected into DNS replies, tricking resolvers into updating their delegation information for the zone. Malicious actors could exploit this by spoofing packets or using fragmentation attacks to inject NS RRSets and their respective address records, poisoning Unbound's cache for the delegation point.

Impact

Exploitation of this vulnerability could lead to unauthorized updates of DNS delegation information, allowing for potential domain hijacking.

Remediation

Users can upgrade to Unbound version 1.24.1, which includes the necessary fix. For those using Unbound 1.24.0, a patch is available that can be applied manually. This patch is tested to work on Unbound 1.24.0. Alternatively, a minimal patch is also provided that can be used instead, but it may result in expected failures in the test suite due to changes in behavior.