TsuKing and BIND

We have recently received several questions from customers about the TsuKing vulnerability and whether BIND 9 is susceptible to it. The issue is the result of non-compliance with DNS standards; therefore, BIND and other DNS implementations that are compliant with DNS RFCs are not vulnerable.

TsuKing is a vector by which it is possible to coordinate vulnerable non-compliant DNS resolvers to cause a potent DNS amplification attack.

More information is available at:

Here at ISC, we are confident that BIND is not vulnerable to a TsuKing attack, because all the TsuKing variants rely on DNS implementations that are not RFC-compliant. Specifically, the DNS-OARC presentation states that “not honoring the RD=0 flag” and “aggressive retry” are both factors in TsuKing vulnerability, and BIND has built-in measures to prevent these behaviors. All current versions of BIND adhere strictly to RFCs, and are therefore not under threat by the attack vectors outlined by the TsuKing research team.

This attack should serve as an reminder that protocol non-compliance can have severe consequences.

BIND users who are interested in receiving advance notification of security announcements involving BIND are encouraged to contact our sales team for more information.

Recent Posts

What's New from ISC