CVE-2024-33655
📋 TL;DR
CVE-2024-33655, known as DNSBomb, is a DNS protocol vulnerability that allows remote attackers to cause denial of service by accumulating DNS queries and sending responses in bursts, leading to resource consumption and potential traffic amplification. It affects DNS servers and resolvers implementing RFC 1035 and updates, potentially impacting any organization using vulnerable DNS software.
💻 Affected Systems
- Unbound
- BIND9
- Technitium DNS Server
- Other DNS implementations based on RFC 1035
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
DNS servers become unresponsive due to resource exhaustion, causing widespread service disruption for dependent applications and networks.
Likely Case
Intermittent DNS performance degradation or temporary outages affecting query resolution.
If Mitigated
Minimal impact with proper patching or workarounds, such as rate limiting or updated software.
🎯 Exploit Status
Exploitation requires crafting DNS queries to trigger accumulation and burst responses, but no public proof-of-concept is available yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor-specific versions: Unbound (commit c3206f4568f60c486be6d165b1f2b5b254fea3de), BIND9 (issue 4398), Technitium DNS Server (version 120).
Vendor Advisory: https://alas.aws.amazon.com/ALAS-2024-1934.html
Restart Required: Yes
Instructions:
1. Identify affected DNS software and version. 2. Apply vendor-provided patches or updates. 3. Restart the DNS service to apply changes. 4. Verify the fix using version checks or testing.
🔧 Temporary Workarounds
Implement DNS Rate Limiting
allConfigure rate limiting on DNS queries to prevent accumulation and burst responses.
# Example for BIND9: set 'rate-limit' options in named.conf
# Example for Unbound: use 'rate-limit' settings in unbound.conf
Use DNS Firewall or Filtering
linuxDeploy network-level controls to block or throttle suspicious DNS traffic patterns.
# Use iptables or similar to limit DNS query rates
iptables -A INPUT -p udp --dport 53 -m limit --limit 10/sec -j ACCEPT
🧯 If You Can't Patch
- Monitor DNS traffic for unusual burst patterns and implement alerting.
- Isolate DNS servers behind firewalls and restrict access to trusted sources only.
🔍 How to Verify
Check if Vulnerable:
Check if DNS software version is unpatched by comparing with vendor advisories; e.g., run 'unbound -V' or 'named -v'.Check Version:
unbound -V # for Unbound, named -v # for BIND9, or check software-specific commands.Verify Fix Applied:
After patching, confirm the version matches the fixed release and test DNS functionality under normal load.📡 Detection & Monitoring
Log Indicators:
- Unusual spikes in DNS query volumes or response bursts in server logs.
- Increased error rates or timeouts in DNS resolution logs.
Network Indicators:
- Abnormal UDP traffic patterns on port 53 with high packet rates.
- DNS amplification attempts visible in network monitoring tools.
SIEM Query:
Example: search for 'dns query count > threshold' or 'dns response burst' over short time windows.🔗 References
- https://alas.aws.amazon.com/ALAS-2024-1934.html
- https://datatracker.ietf.org/doc/html/rfc1035
- https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de
- https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-120
- https://gitlab.isc.org/isc-projects/bind9/-/issues/4398
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TBXPRJ2Q235YUZKYDRWOSYNDFBJQWJ3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QITY2QBX2OCBTZIXD2A5ES62STFIA4AL/
- https://meterpreter.org/researchers-uncover-dnsbomb-a-new-pdos-attack-exploiting-legitimate-dns-features/
- https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt
- https://nlnetlabs.nl/projects/unbound/security-advisories/
- https://sp2024.ieee-security.org/accepted-papers.html
- https://www.isc.org/blogs/2024-dnsbomb/
- https://alas.aws.amazon.com/ALAS-2024-1934.html
- https://datatracker.ietf.org/doc/html/rfc1035
- https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de
- https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-120
- https://gitlab.isc.org/isc-projects/bind9/-/issues/4398
- https://lists.debian.org/debian-lts-announce/2025/08/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TBXPRJ2Q235YUZKYDRWOSYNDFBJQWJ3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QITY2QBX2OCBTZIXD2A5ES62STFIA4AL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TBXPRJ2Q235YUZKYDRWOSYNDFBJQWJ3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QITY2QBX2OCBTZIXD2A5ES62STFIA4AL/
- https://meterpreter.org/researchers-uncover-dnsbomb-a-new-pdos-attack-exploiting-legitimate-dns-features/
- https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt
- https://nlnetlabs.nl/projects/unbound/security-advisories/
- https://sp2024.ieee-security.org/accepted-papers.html
- https://www.isc.org/blogs/2024-dnsbomb/
