Questions about CVE-2024-11187

[Laszlo Szollosi]

Hi Everyone,

I'm hoping I can get some insight about the vulnerability mentioned above.
We had been running BIND 9.20.4 in our infrastructure, and upgraded to
9.20.6 just recently.
CVE-2024-12705 does not apply to our setup, yet we have a suspicion that we
were impacted by CVE-2024-11187, but cannot confirm it.

The symptoms we experienced were a sudden increase in CPU utilization that
stayed high, which I mean way higher than usual, but BIND didn't stop
working.
We couldn't find anything unusual in our logs.
We have 'minimal-responses' set to 'yes' in the BIND config.

My questions are:
- Would the 'minimal-responses' setting prevent CVE-2024-11187 being
exploited, or is it mitigation only?
- Would there be any log messages that indicate the exploitation, any
keywords I should be looking for?
- Could something else have caused such symptoms, other than the
vulnerability? Our DNS servers are open to the internet.

Many thanks in advance. Any help is much appreciated.

Kind Regards,
Laszlo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250228/8592f59f/attachment.htm>