Ddos 
The Internet Systems Consortium (ISC) has recently disclosed two critical vulnerabilities affecting BIND, its widely used Domain Name System (DNS) software. These vulnerabilities, tracked as CVE-2024-11187 and CVE-2024-12705, could allow attackers to launch denial-of-service (DoS) attacks against both authoritative servers and resolvers.
CVE-2024-11187: Resource Exhaustion via Malicious Zones
This vulnerability allows attackers to craft malicious DNS zones that, when queried, generate responses containing a large number of records in the “Additional” section. By flooding a server with such queries, attackers can cause excessive CPU consumption, ultimately leading to resource exhaustion and service disruption.
“A named instance vulnerable to this issue can be compelled to consume excessive CPU resources up to the point where exhaustion of resources effectively prevents the server from responding to other client queries,” warns the ISC advisory.
CVE-2024-12705: DNS-over-HTTPS DoS Vulnerability
This vulnerability specifically affects BIND’s implementation of DNS-over-HTTPS (DoH). Attackers can exploit this flaw by flooding a DoH resolver with specially crafted HTTP/2 traffic, overwhelming the server and preventing legitimate clients from accessing the service.
“By flooding a target resolver with HTTP/2 traffic and exploiting this flaw, an attacker could overwhelm the server, causing high CPU and/or memory usage and preventing other clients from establishing DoH connections,” explains the ISC advisory.
Mitigations and Remediation
ISC has released patched versions of BIND to address these vulnerabilities. Users are strongly advised to upgrade to the latest versions (9.18.33, 9.20.5, or 9.21.4) as soon as possible.
As a temporary workaround for CVE-2024-11187, administrators can enable the minimal-responses option in BIND’s configuration. For CVE-2024-12705, disabling DoH until the patch can be applied is a viable mitigation.