CVE-2022-30698 in Unboundinfo

Summary

by MITRE • 08/01/2022

NLnet Labs Unbound, up to and including version 1.16.1 is vulnerable to a novel type of the "ghost domain names" attack. The vulnerability works by targeting an Unbound instance. Unbound is queried for a subdomain of a rogue domain name. The rogue nameserver returns delegation information for the subdomain that updates Unbound's delegation cache. This action can be repeated before expiry of the delegation information by querying Unbound for a second level subdomain which the rogue nameserver provides new delegation information. Since Unbound is a child-centric resolver, the ever-updating child delegation information can keep a rogue domain name resolvable long after revocation. From version 1.16.2 on, Unbound checks the validity of parent delegation records before using cached delegation information.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 11/30/2025

The vulnerability identified as CVE-2022-30698 represents a sophisticated attack vector targeting NLnet Labs Unbound DNS resolver versions 1.16.1 and earlier. This vulnerability operates under the category of ghost domain names attacks, which exploit the fundamental behavior of DNS resolution systems where resolvers maintain cached delegation information for efficient operation. The attack specifically leverages Unbound's child-centric resolver architecture, where the resolver maintains delegation records for subdomains that are updated through recursive queries. The flaw allows malicious actors to perpetually maintain resolvability of revoked domain names by continuously updating the delegation cache with fresh information from rogue nameservers.

The technical implementation of this vulnerability exploits the caching mechanism within Unbound's DNS resolution process. When a resolver encounters a query for a subdomain of a rogue domain, the malicious nameserver responds with delegation information that updates the resolver's cache. This process can be repeated indefinitely for different subdomains within the same domain, creating a persistent threat that undermines the security of domain revocation mechanisms. The attack specifically targets the delegation cache behavior where Unbound accepts and stores delegation records without sufficient validation of parent zone authenticity, creating a window for attackers to maintain access to previously revoked domains.

The operational impact of this vulnerability extends beyond simple domain name resolution issues, as it fundamentally compromises the integrity of DNS security measures. Attackers can maintain persistent access to compromised domains for extended periods, potentially enabling continued phishing operations, malware distribution, or other malicious activities that rely on domain persistence. The vulnerability is particularly concerning because it operates at the resolver level rather than the authoritative server level, meaning that even if the original domain is properly revoked at the authoritative nameserver, the rogue delegation information can keep the domain accessible through affected resolvers. This creates a significant challenge for security operations teams who must account for potential cache poisoning across multiple resolver implementations.

The remediation implemented in Unbound version 1.16.2 addresses this vulnerability by introducing enhanced validation of parent delegation records before utilizing cached delegation information. This change aligns with security best practices outlined in the CWE-209 category of "Information Exposure Through an Error Message" and follows principles of secure DNS resolution as recommended by the ATT&CK framework's DNS resolution techniques. The fix implements a more robust validation mechanism that ensures delegation records are properly authenticated before being accepted into the cache, thereby preventing the propagation of malicious delegation information. Organizations implementing Unbound should prioritize upgrading to version 1.16.2 or later to mitigate this vulnerability, while also considering implementing additional monitoring for unusual DNS resolution patterns that might indicate cache poisoning attempts. The vulnerability demonstrates the importance of proper cache validation in DNS security and highlights how seemingly benign caching behavior can be exploited to undermine fundamental security controls.

Reservation

05/13/2022

Disclosure

08/01/2022

Moderation

accepted

CPE

ready

EPSS

0.00850

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!