CVE-2020-8616
📋 TL;DR
CVE-2020-8616 is a DNS vulnerability that allows attackers to cause recursive DNS servers to perform excessive queries through malicious referrals, potentially degrading server performance or enabling DNS amplification attacks. This affects BIND 9 DNS servers configured as recursive resolvers.
💻 Affected Systems
- ISC BIND
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
DNS amplification attack with high traffic volume causing denial of service to both the target and the recursive server, potentially disrupting DNS services for entire networks.
Likely Case
Degraded performance of recursive DNS servers under attack, causing slower DNS resolution for legitimate users and potential service disruption.
If Mitigated
Minimal impact with proper rate limiting and patched systems, though some performance degradation possible during attacks.
🎯 Exploit Status
Known as NXNSAttack; exploitation tools and research papers are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: BIND 9.16.6, 9.17.4, or later versions
Vendor Advisory: https://kb.isc.org/docs/cve-2020-8616
Restart Required: Yes
Instructions:
1. Download patched BIND version from ISC website 2. Stop BIND service 3. Install updated version 4. Restart BIND service 5. Verify service is running correctly
🔧 Temporary Workarounds
Rate Limiting Configuration
allConfigure BIND to limit the number of simultaneous queries and responses per client
Add to named.conf: rate-limit { responses-per-second 10; };
Add to named.conf: max-clients-per-query 10;
Disable Recursion for Unauthorized Clients
allRestrict recursive queries to trusted clients only
Add to named.conf: allow-recursion { trusted-nets; };
🧯 If You Can't Patch
- Implement network-level rate limiting for DNS traffic
- Deploy DNS firewall or protective DNS service
🔍 How to Verify
Check if Vulnerable:
Check BIND version with: named -vCheck Version:
named -vVerify Fix Applied:
Verify version is 9.16.6+, 9.17.4+, or later with: named -v📡 Detection & Monitoring
Log Indicators:
- Unusually high query rates from single sources
- Excessive referral responses
- Query timeouts or failures
Network Indicators:
- Spike in DNS traffic volume
- Abnormal number of NXDOMAIN responses
- DNS amplification patterns
SIEM Query:
source_port=53 AND (bytes_sent > 1000) | stats count by src_ip🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- http://www.nxnsattack.com
- http://www.openwall.com/lists/oss-security/2020/05/19/4
- https://kb.isc.org/docs/cve-2020-8616
- https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/
- https://security.netapp.com/advisory/ntap-20200522-0002/
- https://usn.ubuntu.com/4365-1/
- https://usn.ubuntu.com/4365-2/
- https://www.debian.org/security/2020/dsa-4689
- https://www.synology.com/security/advisory/Synology_SA_20_12
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00044.html
- http://www.nxnsattack.com
- http://www.openwall.com/lists/oss-security/2020/05/19/4
- https://kb.isc.org/docs/cve-2020-8616
- https://lists.debian.org/debian-lts-announce/2020/05/msg00031.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JKJXVBOKZ36ER3EUCR7VRB7WGHIIMPNJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WOGCJS2XQ3SQNF4W6GLZ73LWZJ6ZZWZI/
- https://security.netapp.com/advisory/ntap-20200522-0002/
- https://usn.ubuntu.com/4365-1/
- https://usn.ubuntu.com/4365-2/
- https://www.debian.org/security/2020/dsa-4689
- https://www.synology.com/security/advisory/Synology_SA_20_12
