CVE-2024-12705 Overview
CVE-2024-12705 is a resource exhaustion vulnerability affecting BIND 9 DNS resolvers that have DNS-over-HTTPS (DoH) enabled. Remote attackers can exploit this flaw by flooding the DNS resolver with crafted valid or invalid HTTP/2 traffic, leading to exhaustion of the server's CPU and/or memory resources. This denial of service condition can render the DNS resolver unavailable, disrupting name resolution services for dependent systems and networks.
The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that the affected BIND versions fail to properly limit the rate or volume of incoming HTTP/2 requests processed by the DoH service.
Critical Impact
Attackers can remotely exhaust DNS resolver resources by flooding DoH endpoints with malicious HTTP/2 traffic, causing denial of service and disrupting critical DNS infrastructure.
Affected Products
- BIND 9 versions 9.18.0 through 9.18.32
- BIND 9 versions 9.20.0 through 9.20.4
- BIND 9 versions 9.21.0 through 9.21.3
- BIND 9 versions 9.18.11-S1 through 9.18.32-S1 (ISC Subscription Edition)
Discovery Timeline
- 2025-01-29 - CVE-2024-12705 published to NVD
- 2025-02-07 - Last updated in NVD database
Technical Details for CVE-2024-12705
Vulnerability Analysis
This vulnerability exists in the DNS-over-HTTPS (DoH) implementation within BIND 9. DoH encapsulates DNS queries within HTTPS traffic, using HTTP/2 as the transport protocol. The flaw stems from improper resource management when handling incoming HTTP/2 streams and requests.
When a BIND 9 resolver is configured to accept DoH connections, it processes incoming HTTP/2 frames and DNS queries. The vulnerability allows attackers to send a high volume of crafted HTTP/2 traffic—either valid DNS queries or malformed requests—without adequate rate limiting or resource constraints being enforced by the server. This results in unbounded resource consumption as the resolver attempts to process the flood of incoming traffic.
The attack can be executed remotely over the network without authentication or user interaction. While the vulnerability does not compromise confidentiality or integrity of data, the availability impact is significant as DNS resolvers can become completely unresponsive.
Root Cause
The root cause is classified as CWE-770: Allocation of Resources Without Limits or Throttling. The BIND 9 DoH implementation lacks adequate controls to limit the rate of incoming HTTP/2 connections and requests, allowing attackers to consume server resources without restriction. This design weakness permits unbounded allocation of CPU cycles and memory to process attacker-controlled traffic.
Attack Vector
The attack is conducted over the network against BIND 9 servers with DoH enabled. An attacker initiates multiple HTTP/2 connections to the DoH endpoint and floods the server with HTTP/2 frames, which may contain valid DNS queries, invalid queries, or malformed HTTP/2 protocol data.
The HTTP/2 protocol's multiplexing capability allows multiple streams within a single TCP connection, amplifying the attack surface. Attackers can exploit this by opening numerous concurrent streams and sending rapid requests, overwhelming the resolver's ability to process legitimate traffic while consuming CPU and memory resources.
The attack does not require any privileges or authentication, making it accessible to any network client that can reach the DoH endpoint. Organizations exposing DoH services to the internet are particularly at risk.
Detection Methods for CVE-2024-12705
Indicators of Compromise
- Abnormally high CPU utilization on BIND 9 DNS servers with DoH enabled
- Memory exhaustion or out-of-memory events on DNS resolver systems
- Spike in HTTP/2 connections to DoH endpoints (typically port 443)
- DNS query latency degradation or timeouts reported by clients
- Log entries indicating resource constraints or process termination
Detection Strategies
- Monitor BIND 9 server performance metrics for unusual CPU and memory consumption patterns
- Implement network traffic analysis to detect volumetric HTTP/2 traffic anomalies targeting DoH endpoints
- Configure alerting on DNS resolver availability and response time degradation
- Review BIND 9 logs for error messages related to resource exhaustion or connection handling failures
Monitoring Recommendations
- Deploy application-layer monitoring on DoH endpoints to track HTTP/2 connection rates and request volumes
- Establish baseline metrics for normal DoH traffic patterns to enable anomaly detection
- Implement SentinelOne Singularity to monitor DNS infrastructure hosts for resource exhaustion attacks
- Use network flow analysis to identify sources of abnormal traffic volumes targeting DNS services
How to Mitigate CVE-2024-12705
Immediate Actions Required
- Upgrade BIND 9 to a patched version as recommended by ISC
- If DoH is not required, disable the DoH listener in BIND configuration
- Implement rate limiting at the network perimeter for HTTP/2 traffic to DoH endpoints
- Deploy web application firewalls (WAF) or reverse proxies with HTTP/2 flood protection capabilities
- Monitor DNS resolver resource utilization closely until patches are applied
Patch Information
ISC has released updated versions of BIND 9 to address this vulnerability. Administrators should consult the ISC CVE-2024-12705 Documentation for specific version information and upgrade instructions. Additionally, NetApp has published Security Advisory NTAP-20250207-0003 for affected NetApp products.
Organizations using BIND 9 should upgrade to the latest patched version in their respective release branch:
- For 9.18.x series: Upgrade beyond 9.18.32
- For 9.20.x series: Upgrade beyond 9.20.4
- For 9.21.x series: Upgrade beyond 9.21.3
- For 9.18.x-S1 subscription series: Upgrade beyond 9.18.32-S1
Workarounds
- Disable DNS-over-HTTPS functionality if not required for operations by removing or commenting out the http and related DoH configuration blocks
- Restrict access to DoH endpoints using firewall rules to allow only trusted client networks
- Deploy a reverse proxy or load balancer with HTTP/2 rate limiting in front of BIND 9 DoH services
- Implement connection rate limiting using operating system-level controls such as iptables or nftables
- Consider using dedicated DoH proxy solutions that provide built-in flood protection
# Example: Disable DoH in BIND 9 named.conf
# Comment out or remove the http block and related tls configuration
# Before:
# http local {
# endpoints { "/dns-query"; };
# };
#
# After (DoH disabled):
# DoH configuration removed - resolver accepts only traditional DNS on port 53
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
