BIND warns of bugs that could bring DNS cache attack back from the dead

Developers behind BIND, the leading software for domain name resolution, have issued a serious alert regarding two critical vulnerabilities that could enable attackers to corrupt DNS caches. This could lead users to malicious sites that mimic legitimate ones. The vulnerabilities, identified as CVE-2025-40778 and CVE-2025-40780, arise from a logic flaw and a deficiency in pseudo-random number generation, with both issues rated at a severity of 8.6. In a related discovery, the creators of the Unbound DNS resolver software have also reported similar vulnerabilities affecting their system, which has a lower severity score of 5.6. These flaws could allow malicious actors to manipulate DNS resolvers within countless organizations, substituting valid domain lookup results with harmful ones. For instance, a user attempting to access a legitimate website could be redirected to a site controlled by an attacker. Patches addressing all three vulnerabilities were released on Wednesday. This situation echoes the notable DNS cache poisoning issue revealed by researcher Dan Kaminsky in 2008, which exposed users to potential threats from counterfeit websites of major organizations like Google and Bank of America. At that time, a coordinated global effort among DNS providers and browser developers led to the implementation of crucial fixes that mitigated the risk of widespread attacks. The root of the problem lies in the use of UDP packets by DNS, which are sent unidirectionally, making it impossible for DNS resolvers to authenticate their communications. This design flaw renders UDP traffic easily spoofable, allowing attackers to send packets that appear to originate from legitimate sources, increasing the risk of DNS cache poisoning.