The CVE number for this vulnerability is CVE-2024-33655. A novel pulsing DoS attack named "DNSBomb" has been discovered to affect various DNS resolving software. Since the attack does not make Unbound vulnerable, rather Unbound could be used to take part in a DoS attack, we are using the industry-wide CVE numbering and categorizing the vulnerability with a LOW severity for Unbound. == Summary The DNSBomb attack, via specially timed DNS queries and answers, can cause a Denial of Service on resolvers and spoofed targets. Unbound itself is not vulnerable for DoS, rather it can be used to take part in a pulsing DoS amplification attack. Unbound 1.20.0 includes fixes so the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers. == Affected products Unbound up to and including 1.19.3. == Description The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed addresses. When the authoritative answers become available to Unbound at the same time, Unbound starts serving all the accumulated queries. This results into large-sized, concentrated response bursts to the spoofed addresses. From version 1.20.0 on, Unbound introduces a couple of configuration options to help mitigate the impact. Their complete description can be found in the included manpages but they are also briefly listed here together with their default values for convenience: * discard-timeout: 1900 After 1900 ms a reply to the client will be dropped. Unbound would still work on the query but refrain from replying in order to not accumulate a huge number of "old" replies. Legitimate clients retry on timeouts. * wait-limit: 1000 wait-limit-cookie: 10000 Limits the amount of client queries that require recursion (cache-hits are not counted) per IP address. More recursive queries than the allowed limit are dropped. Clients with a valid EDNS Cookie can have a different limit, higher by default. wait-limit: 0 disables all wait limits. * wait-limit-netblock wait-limit-cookie-netblock These do not have a default value but they can fine grain configuration for specific netblocks. With or without EDNS Cookies. The options above are trying to shrink the DNSBomb window so that the impact of the DoS from Unbound is significantly lower than it used to be and making the attack, and Unbound's participation, less tempting for attackers. == Mitigation === Downloading patched version Unbound 1.20.0 is released with the patch https://nlnetlabs.nl/downloads/unbound/unbound-1.20.0.tar.gz === Applying the patch manually For Unbound 1.19.3 the patch is: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-33655.diff Apply the patch on the Unbound source directory with: patch -p1 < patch_CVE-2024-33655.diff then run 'make install' to install Unbound. The patch is tested to work on Unbound 1.19.3. == Acknowledgements We would like to thank Xiang Li from the Network and Information Security Lab of Tsinghua University for discovering and disclosing the attack.