No subject

Fri Feb 17 00:32:05 UTC 2012

"The DNS query id generation is vulnerable to analysis which provides a
high chance of guessing the next query id. This can be used to perform
cache poisoning by an attacker."

All users are encouraged to upgrade.

II. Impact

A remote attacker could predict DNS query IDs and respond with arbitrary
answers, thus poisoning DNS caches.

III. Solution

Upgrade or Patch

This issue is addressed in ISC BIND 8.4.7-P1, available as patch that
can be applied to BIND 8.4.7.

The more definitive solution is to upgrade to BIND 9. BIND 8 is being
declared "end of life" by ISC due to multiple architectural issues.
Please see ISC's website at for
additional information and tools.

Note that BIND 8.x.x is End of Life as of August 2007.

Users who obtain BIND 8 from their operating system vendor should see
the systems affected portion of this document for a partial list of
affected vendors.


Thanks to Amit Klein from Trusteer ( for
reporting this.

More information about the bind-announce mailing list