Introduction
Attackers can poison DNS caches on vulnerable BIND 9 servers by predicting the source port and query ID used for outgoing queries. This undermines the primary defense against DNS spoofing, exposing organizations to redirection, credential theft, and service disruption. BIND 9 is a widely deployed DNS server maintained by the Internet Systems Consortium (ISC), used by ISPs, enterprises, and public DNS providers globally. Its security posture directly impacts internet reliability and trust.
Technical Information
CVE-2025-40780 is a vulnerability in the pseudo random number generator (PRNG) used by BIND 9 to select the source port and query ID for outgoing DNS queries. These two values are the core entropy sources that protect DNS resolvers from cache poisoning attacks. The vulnerability occurs because, under certain operational circumstances, the PRNG produces values that are predictable to an attacker. If an attacker can observe or infer the PRNG state or output, they can anticipate the next source port and query ID that BIND will use for a query. This allows the attacker to craft forged DNS responses that match the expected parameters, which the resolver will accept and cache.
This issue is classified as CWE-341 (Predictable from Observable State). The root cause is insufficient entropy or a PRNG design that allows output prediction based on observable state. No public code snippets or detailed code-level advisories are available. The impact is that the effective entropy for DNS query validation is reduced or eliminated, making cache poisoning feasible with a practical number of forged responses.
Affected Systems and Versions
The following BIND 9 versions are affected:
- 9.16.0 through 9.16.50
- 9.18.0 through 9.18.39
- 9.20.0 through 9.20.13
- 9.21.0 through 9.21.12
- 9.16.8-S1 through 9.16.50-S1 (Supported Preview Edition)
- 9.18.11-S1 through 9.18.39-S1 (Supported Preview Edition)
- 9.20.9-S1 through 9.20.13-S1 (Supported Preview Edition)
Any BIND 9 resolver configured to use the affected PRNG implementation is vulnerable. There are no indications that authoritative-only configurations are affected, but all recursive and forwarding resolver deployments in these version ranges should be considered at risk.
Vendor Security History
BIND 9, maintained by ISC, has a long history of security research and vulnerability disclosures. Previous high-profile issues include cache poisoning (Kaminsky bug), denial of service via malformed DNS packets, and protocol implementation flaws. ISC typically responds rapidly with advisories and patches, and their security advisories are detailed and actionable. The vendor is considered mature in vulnerability response.