<div dir="ltr">Hi Petr,<br><br>Many thanks for your response.<br>By mitigation, I mean we have seen an increase in resource utilization, but it would have been much worse without the 'minimal-responses' setting (reduced impact).<br>By prevention, I mean we would not have had the impact at all.<br>By a spike, I mean the CPU utilization jumps, and then falls. That is not what we experienced. We had the resource consumption continuously for 3 hours on our first incident.<br>The second time it happened it stopped after we upgraded BIND.<br><br>We have seen a lot of this message in our logs:<br>21-Feb-2025 16:09:00.985 database: error: error adding '<a href="http://s1.gmslb.net/A">s1.gmslb.net/A</a>' in './IN' (cache): too many records (must not exceed 100)<br>with the domain '<a href="http://s1.gmslb.net">s1.gmslb.net</a>'.<br>These log messages completely disappeared right after the upgrade.<br><br>Below you can find what I can share what's in the config. Everything else is confidential or just log settings.<br>Hope it helps.<br><br>Kind Regards,<br>Laszlo<br><br>//<br>// BIND 9 options fragment<br>//<br><br>options {<br> directory "/var/cache/bind";<br> pid-file "/var/run/named/named.pid";<br> random-device "/dev/urandom";<br> version none;<br> check-names master ignore;<br> check-names response ignore;<br> check-names slave ignore;<br> minimal-responses yes;<br> listen-on { any; };<br> listen-on-v6 { any; };<br> querylog no;<br> max-cache-size 75%;<br> dnssec-validation auto;<br> allow-transfer { none; };<br> allow-recursion { valid-clients; };<br> allow-query { valid-clients; };<br> blackhole {<br> !valid-clients;<br> };<br> tcp-clients 4096;<br> recursive-clients 16384;<br> clients-per-query 0;<br> max-clients-per-query 0;<br> auth-nxdomain yes;<br> notify no;<br> transfers-per-ns 16;<br> empty-zones-enable yes;<br>};<br><br>//<br>// BIND 9 statistics fragment<br>//<br><br>statistics-channels {<br> inet 127.0.0.1 port 8080 allow { localhost; };<br> inet ::1 port 8080 allow { localhost; };<br>};<br><div><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, 3 Mar 2025 at 08:59, Petr Špaček <<a href="mailto:pspacek@isc.org">pspacek@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 28. 02. 25 14:23, Laszlo Szollosi wrote:<br>
> I'm hoping I can get some insight about the vulnerability mentioned above.<br>
> We had been running BIND 9.20.4 in our infrastructure, and upgraded to <br>
> 9.20.6 just recently.<br>
> CVE-2024-12705 does not apply to our setup, yet we have a suspicion that <br>
> we were impacted by CVE-2024-11187, but cannot confirm it.<br>
> <br>
> The symptoms we experienced were a sudden increase in CPU utilization <br>
> that stayed high, which I mean way higher than usual, but BIND didn't <br>
> stop working.<br>
> We couldn't find anything unusual in our logs.<br>
> We have 'minimal-responses' set to 'yes' in the BIND config.<br>
> <br>
> My questions are:<br>
> - Would the 'minimal-responses' setting prevent CVE-2024-11187 being <br>
> exploited, or is it mitigation only?<br>
You lost me there. What's the difference between the two options - <br>
mitigation vs. "prevention"?<br>
<br>
It also depends on your setup. We don't know enough about your setup to <br>
judge impact of 'minimal-responses' option. Maybe we could if you share <br>
your config file.<br>
<br>
> - Would there be any log messages that indicate the exploitation, any <br>
> keywords I should be looking for?<br>
Generally no for this CVE.<br>
<br>
> - Could something else have caused such symptoms, other than the <br>
> vulnerability? Our DNS servers are open to the internet.<br>
Generally yes, there is many things which can cause CPU utilization <br>
spikes. Again, hard to tell without deeper understanding of your setup.<br>
<br>
-- <br>
Petr Špaček<br>
Internet Systems Consortium<br>
</blockquote></div>