Introduction - Engaging opening that highlights real impact and significance
DNS cache poisoning attacks can silently redirect users and systems to attacker-controlled infrastructure, undermining the integrity of internet communications. The latest high-severity flaw in BIND 9, CVE-2025-40778, exposes a wide range of recursive resolvers to remote cache poisoning by allowing forged DNS records to be injected into the cache under specific conditions. This vulnerability is significant due to the ubiquity of BIND in enterprise and service provider environments, where it serves as the backbone for DNS resolution.
About BIND and ISC: BIND (Berkeley Internet Name Domain) is the most widely deployed DNS server software worldwide, maintained by the Internet Systems Consortium (ISC). ISC is a nonprofit organization with a long-standing role in DNS protocol development and security. BIND powers critical infrastructure for ISPs, enterprises, and governments, making vulnerabilities in this software highly impactful across the global internet.
Technical Information
CVE-2025-40778 is rooted in BIND 9's handling of unsolicited resource records (RRs) in DNS responses. When a recursive resolver queries an authoritative nameserver, the response may contain not only the requested answer but also additional records in the authority and additional sections. Proper DNS implementation requires strict validation of these records, ensuring only those relevant and within the expected bailiwick (zone of authority) are accepted into the cache.
In affected BIND 9 versions, the resolver is too lenient in accepting records from answers. Specifically, it may cache resource records that were not explicitly solicited by the original query. This behavior violates the principle of bailiwick checking, which is designed to prevent nameservers from injecting data for domains outside their authority. The vulnerability is classified under CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349).
The technical flaw allows an attacker who can influence DNS responses—either by running a malicious authoritative nameserver or by intercepting resolver traffic—to inject forged records into the cache. Once poisoned, the resolver will return the attacker's data for subsequent queries until the cache entry expires or is flushed. This can facilitate redirection to malicious sites, interception of sensitive data, or denial of legitimate services.
No code snippets or internal implementation details have been published in public sources as of this writing. The vulnerability affects only recursive resolver configurations; authoritative-only BIND servers are not impacted unless they are also performing recursion.
Affected Systems and Versions (MUST BE SPECIFIC)
CVE-2025-40778 affects the following BIND 9 versions:
- 9.11.0 through 9.16.50
- 9.18.0 through 9.18.39
- 9.20.0 through 9.20.13
- 9.21.0 through 9.21.12
- 9.11.3-S1 through 9.16.50-S1
- 9.18.11-S1 through 9.18.39-S1
- 9.20.9-S1 through 9.20.13-S1
Only recursive resolver configurations are affected. Authoritative-only servers are not vulnerable unless recursion is enabled.
Fixed versions are:
- 9.18.41
- 9.20.15
- 9.21.14
- 9.18.41-S1
- 9.20.15-S1
No workarounds are available. Immediate upgrade is required.
Vendor Security History
The Internet Systems Consortium (ISC) has a long history of addressing DNS security issues in BIND. Previous notable vulnerabilities include:
- The Kaminsky bug (2008), a landmark DNS cache poisoning flaw
- MAGINOTDNS (2023), which exploited inconsistencies in bailiwick checking
- Multiple logic and validation errors in DNS response handling
ISC maintains a detailed vulnerability matrix and issues timely advisories. Their response to CVE-2025-40778 followed responsible disclosure, with patches released for all supported branches. ISC's maturity in vulnerability response is reflected in their transparent communication and ongoing security research collaborations.