Critical DNS Cache Poisoning Flaws Patched in BIND, the Internet's Most Widely Used DNS Server

The Internet Systems Consortium (ISC) has released emergency security updates for BIND 9, addressing three serious vulnerabilities that could allow attackers to poison DNS caches and redirect users to malicious websites—or simply knock DNS servers offline.

Two of the flaws enable cache poisoning attacks that undermine protections established nearly two decades ago following landmark research by the late security researcher Dan Kaminsky. The vulnerabilities affect DNS resolvers—the servers that process lookup requests from clients across the internet.

Given BIND's dominant position as the most widely deployed DNS server software on the internet, ISC is urging administrators to apply patches immediately.

Undermining Kaminsky-Era Protections

The most severe vulnerability, CVE-2025-40780 (CVSS score: 8.6), stems from a flaw in BIND's pseudo-random number generator (PRNG). Under certain conditions, attackers can predict which source port and query ID the DNS server will use for communications.

This prediction capability directly weakens defenses implemented after Kaminsky's groundbreaking 2008 research exposed fundamental weaknesses in DNS. His work prompted the industry to adopt port randomization expanding from a single port (53) to randomly selecting from thousands of possibilities. Combined with randomized transaction IDs, this created billions of potential combinations, making cache poisoning attacks statistically impractical.

The new flaw partially unravels these protections. If successfully exploited through spoofing attacks, BIND caches fake responses instead of legitimate DNS data, potentially redirecting entire networks of users to attacker-controlled infrastructure.

Inadequate Validation Opens Second Attack Vector

The second cache poisoning vulnerability, CVE-2025-40778 (CVSS score: 8.6), exploits BIND's overly permissive approach to validating DNS response records. The server fails to scrutinize incoming data with sufficient rigor, creating an opportunity for attackers to inject fraudulent records directly into the cache.

Once poisoned, the corrupted cache affects all subsequent queries from users relying on that DNS server, potentially impacting thousands or millions of downstream clients depending on the server's role in the DNS hierarchy.

Denial-of-Service Rounds Out the Trio

The third vulnerability, CVE-2025-8677 (CVSS score: 7.5), enables denial-of-service attacks. Specially crafted DNS zones containing malformed DNSKEY records can trigger excessive CPU consumption when queried, ultimately causing the DNS server to become unresponsive.

While less severe than cache poisoning, DNS unavailability can cripple organizations by preventing users from resolving domain names—effectively making all internet services inaccessible.

Impact Limited by Complexity and Existing Defenses

ISC emphasized that these vulnerabilities only affect resolvers—servers that process queries from clients. Authoritative DNS servers that hold the official records for domains are not susceptible.

Security experts note that real-world exploitation faces significant hurdles. Red Hat's security team assessed CVE-2025-40780 as less than critical, citing the high complexity of exploitation, which requires network-level spoofing with precise timing. Additionally, the flaw only compromises cache integrity rather than allowing direct server compromise.

Multiple defense-in-depth measures remain effective against these attacks. DNSSEC (DNS Security Extensions) continues to provide cryptographic validation of DNS responses, while rate limiting and firewall rules offer additional protection layers. Organizations with these controls properly configured face substantially reduced risk.

Patches Available Now

ISC has released fixes in BIND versions 9.18.41, 9.20.15, and 9.21.14. The commercial BIND Supported Preview Edition has been updated to versions 9.18.41-S1 and 9.20.15-S1.

The consortium strongly urged all administrators to update immediately, warning that organizations running old, unsupported versions should prioritize migration to current releases.

Broader DNS Security Concerns

The same research team that discovered the BIND vulnerabilities also identified similar issues in Unbound, another popular DNS resolver. Those flaws received a lower severity rating of CVSS 5.6, suggesting they may be less readily exploitable.

The coordinated discoveries highlight ongoing security challenges in DNS infrastructure—technology that remains critical to internet functionality despite being designed in an era with vastly different threat models. As DNS servers continue serving as foundational internet infrastructure, they remain high-value targets for attackers seeking to intercept, redirect, or disrupt network traffic at scale.