CVE-2012-1033 (Ghost domain names) mitigation

Chris Thompson cet1 at
Thu Feb 9 15:48:47 UTC 2012

On Feb 9 2012, Peter Andreev wrote:

>2012/2/9 John Hascall <john at>
>> (2) It also looks like restarting bind flushes the cache
>>    and that prevents the repopulation of the local cache
>>    with names which are ghosts (new different ghost names
>>    could, of course, be created).    Is this correct?
>AFAIK 'rndc flush' will do the same.

If you know the domain name in question, "rndc flushname ghost.example"
should be enough. (BIND 9.9 has "rndc flushtree" as well, but I think
clobbering the cached NS records for the ghost domain should be enough.)

Chris Thompson
Email: cet1 at

More information about the bind-users mailing list