| Package | unbound |
|---|---|
| Version | 1.9.0-2+deb10u7 (buster) |
| Related CVEs | CVE-2025-11411 |
Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that unbound, a validating, recursive, and caching DNS resolver, was vulnerable to cache poisoning via NS RRSet injection, which could lead to domain hijack.
Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver’s knowledge of the zone’s name servers. A malicious actor who is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) can poison Unbound’s cache for the delegation point.
The fix scrubs unsolicited NS RRSets (and their respective address records) from replies, thereby mitigating the possible poison effect. The protection can be turned off by setting the new configuration option “iter-scrub-promiscuous” to “no”, see unbound.conf(5).
For Debian 10 buster, these problems have been fixed in version 1.9.0-2+deb10u7.
We recommend that you upgrade your unbound packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.