CVE-2023-50868 Overview
CVE-2023-50868 is a denial of service vulnerability in the DNS protocol's DNSSEC implementation, specifically affecting the Closest Encloser Proof aspect as defined in RFC 5155. When RFC 9276 guidance is not followed, remote attackers can exploit NSEC3 processing to cause excessive CPU consumption through SHA-1 hash computations. This vulnerability, commonly referred to as the "NSEC3" issue, allows attackers to leverage random subdomain attacks against DNSSEC-validating resolvers, potentially rendering critical DNS infrastructure unavailable.
The vulnerability stems from the RFC 5155 specification which implies that an algorithm must perform thousands of iterations of a hash function in certain situations. Attackers can craft malicious DNSSEC responses that force DNS resolvers to perform computationally expensive operations, leading to resource exhaustion and service degradation.
Critical Impact
Remote attackers can cause denial of service against DNS resolvers by triggering excessive CPU consumption through crafted DNSSEC responses, potentially disrupting DNS resolution services for entire networks.
Affected Products
- ISC BIND (multiple versions)
- PowerDNS Recursor
- Fedora 38 and 39
- Debian Linux 10.0 and 11.0
- Red Hat Enterprise Linux 6.0, 7.0, 8.0, 8.2, and 8.4
- NetApp Active IQ Unified Manager
- NetApp HCI Compute Node and Bootstrap OS
- NetApp H300S, H410C, H410S, H500S, H700S storage systems
Discovery Timeline
- February 14, 2024 - CVE-2023-50868 published to NVD
- December 23, 2025 - Last updated in NVD database
Technical Details for CVE-2023-50868
Vulnerability Analysis
This vulnerability exploits a design flaw in the NSEC3 (Next Secure version 3) mechanism used by DNSSEC to provide authenticated denial of existence for DNS records. NSEC3 was designed to prevent zone enumeration by using hashed owner names, but the RFC 5155 specification allows for a high number of hash iterations that can be weaponized against resolvers.
When a DNSSEC-validating resolver receives a response containing NSEC3 records, it must compute hash chains to verify the Closest Encloser Proof. The vulnerability allows attackers to force resolvers to perform thousands of SHA-1 hash iterations per query by crafting responses with high iteration counts. In a random subdomain attack scenario, the attacker queries for non-existent subdomains, causing the resolver to repeatedly process computationally expensive NSEC3 proofs.
The attack is particularly effective because it requires minimal resources from the attacker while consuming significant CPU cycles on the target resolver. A sustained attack can lead to complete service degradation, affecting all DNS resolution services provided by the compromised resolver.
Root Cause
The root cause lies in the RFC 5155 specification which permits NSEC3 records to specify iteration counts without reasonable upper bounds. The specification was designed to increase the computational cost of offline dictionary attacks against hashed zone contents, but this same mechanism can be turned against resolvers. When RFC 9276 guidance (which recommends limiting iterations) is not implemented, resolvers are vulnerable to attacks that exploit high iteration values. The lack of mandatory limits in the original specification combined with missing input validation in affected DNS software creates the exploitable condition.
Attack Vector
The attack is conducted over the network without requiring authentication or user interaction. An attacker can exploit this vulnerability by:
- Setting up or compromising a malicious authoritative DNS server
- Configuring NSEC3 zones with extremely high iteration counts
- Sending DNS queries for random non-existent subdomains to target resolvers
- Forcing the resolver to query the malicious authoritative server
- The malicious server responds with NSEC3 records requiring expensive hash computations
- The target resolver's CPU becomes saturated processing the Closest Encloser Proofs
The attack can be amplified by using multiple query sources or targeting resolvers that serve large user populations. Since DNS is a fundamental infrastructure service, the impact can cascade to affect all services dependent on DNS resolution.
Detection Methods for CVE-2023-50868
Indicators of Compromise
- Unusual spikes in CPU utilization on DNS resolver servers correlated with DNSSEC validation operations
- High volume of DNS queries for random or non-existent subdomains targeting specific domains
- NSEC3 responses with abnormally high iteration counts (typically above 100-150 iterations)
- DNS resolution timeouts or failures affecting multiple clients simultaneously
Detection Strategies
- Monitor DNS server CPU metrics and correlate with DNSSEC validation activity to identify potential exploitation
- Implement logging for NSEC3 iteration counts in DNS responses and alert on values exceeding recommended thresholds
- Deploy network-based detection for patterns consistent with random subdomain attacks (high query volume for unique subdomains)
- Analyze DNS query logs for suspicious patterns of queries to domains known to use high NSEC3 iteration counts
Monitoring Recommendations
- Configure alerting thresholds for DNS resolver CPU utilization exceeding baseline by significant margins
- Implement DNSSEC validation statistics monitoring to track computational overhead
- Monitor query response times to detect degradation in DNS resolution performance
- Track the ratio of NXDOMAIN responses to identify potential random subdomain attack campaigns
How to Mitigate CVE-2023-50868
Immediate Actions Required
- Update all affected DNS software to patched versions immediately, prioritizing internet-facing resolvers
- Review and implement RFC 9276 guidance which recommends limiting NSEC3 iterations to reasonable values
- Configure DNS resolver software to cap maximum acceptable NSEC3 iteration counts
- Monitor DNS infrastructure for signs of active exploitation while patches are being deployed
Patch Information
Multiple vendors have released security updates to address this vulnerability. ISC has published a security release for BIND (see ISC BIND Security Release for details). PowerDNS has released patches documented in their Security Advisory 2024-01. NLnet Labs has released Unbound 1.19.1 to address this issue (see Unbound Release Announcement). Additional patches are available from Red Hat, Debian, Fedora, and NetApp.
Workarounds
- Limit NSEC3 iteration processing by configuring maximum iteration thresholds in resolver software where supported
- Consider temporarily disabling DNSSEC validation on critical resolvers if under active attack (understanding the security trade-offs)
- Implement rate limiting on DNS queries to reduce the impact of random subdomain attacks
- Deploy DNS traffic analysis tools to identify and block malicious query patterns before they reach resolvers
# Example BIND configuration to limit NSEC3 iterations (where supported)
# Add to named.conf options block
options {
# Limit the maximum number of NSEC3 iterations for validation
max-recursion-queries 75;
# Enable query logging for analysis
querylog yes;
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
