CVE-2006-0987 in BIND
Summary
by MITRE
The default configuration of ISC BIND before 9.4.1-P1, when configured as a caching name server, allows recursive queries and provides additional delegation information to arbitrary IP addresses, which allows remote attackers to cause a denial of service (traffic amplification) via DNS queries with spoofed source IP addresses.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/22/2025
The vulnerability described in CVE-2006-0987 represents a critical security flaw in the Internet Systems Consortium BIND DNS server software that affected versions prior to 9.4.1-P1. This issue specifically impacts BIND configurations operating in caching mode, where the software functions as a recursive DNS resolver that caches responses from authoritative servers to improve performance. The flaw stems from the default configuration behavior that permits recursive queries to be processed without adequate restrictions, creating an environment where malicious actors can exploit the system's functionality for nefarious purposes.
The technical mechanism behind this vulnerability involves the improper handling of DNS queries with spoofed source IP addresses. When BIND receives a DNS query with a forged source address, it will respond to the spoofed address rather than the actual requester, effectively enabling a form of DNS amplification attack. The vulnerability allows attackers to send DNS queries to the target BIND server with a spoofed source IP address that matches the victim's IP address. The server then responds to the victim with DNS responses that can be significantly larger than the original query, leading to massive traffic amplification ratios that can reach 28:1 or higher in some cases. This behavior occurs because the server is configured to provide additional delegation information to any requesting IP address, regardless of whether the query originated from a legitimate source.
The operational impact of this vulnerability is severe and can result in significant network disruption for affected organizations. When exploited, the vulnerability enables attackers to launch massive distributed denial of service attacks that can overwhelm network infrastructure and consume bandwidth resources at rates that far exceed the original attack traffic. The amplification factor can cause network links to become saturated, leading to legitimate service degradation or complete unavailability of network resources. Organizations running vulnerable BIND servers become unwitting participants in these attacks, as their systems are used to amplify traffic directed at victims, potentially leading to legal and operational consequences for the affected parties. The vulnerability also undermines the integrity of the DNS infrastructure by allowing unauthorized parties to manipulate DNS responses and potentially perform cache poisoning attacks.
The root cause of this vulnerability aligns with CWE-1083, which describes the weakness of allowing unauthenticated access to recursive DNS resolution services. This issue demonstrates the importance of implementing proper access controls and network segmentation in DNS infrastructure. Organizations should implement the principle of least privilege by configuring BIND servers to only respond to queries from trusted networks or specific IP address ranges. The vulnerability also relates to ATT&CK technique T1498.001, which describes DNS tunneling and amplification attacks that leverage DNS infrastructure for malicious purposes. Mitigation strategies include disabling recursive queries for external clients, implementing access control lists to restrict query sources, and configuring BIND to use source port randomization. The most effective long-term solution involves upgrading to BIND 9.4.1-P1 or later versions that include patches specifically addressing this vulnerability, along with implementing proper network monitoring and rate limiting to detect and prevent such attacks from occurring in the first place.