Software Engineering Institute

From the ISC BIND security page:

The default access control lists (acls) are not being correctly set. If not set anyone can make recursive queries and/or query the cache contents.

Note that the BIND advisory lists BIND 9.4.0, 9.4.1, 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, and 9.5.0a5 as the versions affected.

A remote, unauthenticated attacker may be able to cause a vulnerable DNS server perform recursion. This could be used to perform denial-of-service attacks. An attacker may also be able to querry the cache.

Upgrade or Patch
This issue is addressed in ISC BIND 9.2.8-P1, BIND 9.3.4-P1, BIND 9.4.1-P1 or BIND 9.5.0a6. Users who obtain BIND from their operating system vendor should see the systems affected portion of this document for a partial list of affected vendors.

Workarounds for administrators of non-publicly accessisble recursive DNS servers

• Using firewall rules, limit access to the DNS server to authorized networks.

• Rate limiting the number of external recursion requests may mitigate potential abuse of the DNS server.