On July 28, 2015, the Internet Systems Consortium reported a critical security vulnerability in BIND, CVE-2015-5477. This vulnerability, which affects both BIND recursive and authoritative servers, is caused by an error in the handling of TKEY queries, allowing a remote attacker to crash BIND by sending a deliberately constructed query.
This vulnerability is considered critical, as it cannot be prevented through ACLs or configuration options, and affects all versions of BIND 9 (BIND 9.1.0 through 9.10.2). Successful attacks on unpatched BIND servers can result in a loss of DNS service, potentially making an organization’s web, email and other internet-connected servers unreachable.
BIND users are strongly encouraged to patch their servers immediately, as attacks against the DNS servers have already been reported. BIND-based appliances are also vulnerable and should be patched – customers are encouraged to contact their vendors for additional patching information.
Secure64 DNS Cache and DNS Authority products, which are not based on BIND, do not contain this flaw, and do not require a patch to provide protection against these attacks.