Why this matters
DNS cache poisoning isn’t a history lesson—it’s a live risk that can invisibly reroute users and systems to attacker-controlled infrastructure. Fresh bugs in two major recursive resolver implementations—BIND and Unbound—show how old attack patterns resurface when randomness, validation, or protocol corner cases break down. Patching windows and DNSSEC coverage still vary widely in the real world, so defenders should treat this as a priority maintenance event.
What’s new
Internet Systems Consortium (ISC) shipped updates to BIND 9 addressing high-severity flaws including two cache-poisoning issues—CVE-2025-40780 (predictable PRNG enabling source-port and query-ID prediction) and CVE-2025-40778 (over-accepting records in answers)—both rated CVSS 8.6. ISC says the fixes land in 9.18.41, 9.20.15, and 9.21.14, with guidance to upgrade as soon as possible. The vendor noted no known in-the-wild exploitation at the time of publication, but all three defects impact resolvers rather than authoritative servers.
Separately, NLnet Labs released Unbound 1.24.1 to fix CVE-2025-11411, part of a cluster of multi-vendor cache-poisoning conditions affecting caching resolvers for non-DNSSEC data paths. NLnet Labs’ advisory emphasizes potential domain hijacking risks in vulnerable configurations.
Context from recent research and history rounds out the picture. Large-scale reviews and academic work have shown how cache poisoning keeps “finding a way,” especially when resolvers accept extraneous data or where entropy defenses degrade. Recent coverage recaps how these issues echo post-2008 Kaminsky-era mitigations—and why they still matter.
Risk and likely impact
Enterprises running on-prem resolvers (including branch office stacks and DNS forwarders embedded in appliances) face the classic “silent detour”: a poisoned cache can send browsers, automated updaters, and service-to-service calls to the wrong place without tripping TLS warnings in all cases (think: certificate mis-issuance, wildcard SANs, or lookalike domains). SecurityWeek’s write-up underscores the practical exploit surface: predictability in source-port and transaction-ID selection plus overly lenient record handling gives attackers viable race conditions to win spoofed replies.
What to do now
Upgrade immediately to BIND 9.18.41/9.20.15/9.21.14 (or corresponding Supported Preview editions) and Unbound 1.24.1. Validate that package and container baselines pick up these versions rather than pinning older tags. Where feasible, enforce DNSSEC validation to narrow non-signed attack reach, and review any EDNS Client Subnet (ECS) usage because ECS has been linked to multi-vendor poisoning risks in specific configurations. Track related CVEs such as the “Rebirthday” ECS poisoning vector in your vuln registers so you can spot lateral exposure across resolver fleets.
Operational checkpoints
Confirm recursive resolvers are actually validating DNSSEC (not just “enabled” in config), ensure 0x20 case randomization and query minimization are on, and avoid custom PRNG tweaks that weaken entropy. If you rely on embedded resolvers in security tools, SD-WAN gear, or container stacks, ask vendors for build numbers incorporating the fixed versions. For teams wanting a deeper dive into prevention systems and attack history, recent USENIX work provides helpful background on why these bugs keep reappearing and how defense-in-depth should evolve.
Attribution & sources: ISC/BIND advisory coverage and version specifics (SecurityWeek). NLnet Labs Unbound 1.24.1 security release. Supplemental analysis on BIND CVE-2025-40778 and historical/academic context for cache poisoning and ECS-related issues.
redsec.ninja 
Leave a comment