CVE-2024-12705 Overview
CVE-2024-12705 is a denial-of-service vulnerability in ISC BIND 9 affecting the DNS-over-HTTPS (DoH) transport. Clients can exhaust a BIND 9 resolver's CPU and memory by flooding it with crafted valid or invalid HTTP/2 traffic. The flaw maps to [CWE-770: Allocation of Resources Without Limits or Throttling]. Affected releases include BIND 9.18.0 through 9.18.32, 9.20.0 through 9.20.4, 9.21.0 through 9.21.3, and the Subscription Edition versions 9.18.11-S1 through 9.18.32-S1.
Critical Impact
A remote, unauthenticated attacker can disrupt DNS resolution by saturating CPU and memory on any BIND 9 server with DoH enabled, breaking name resolution for downstream clients.
Affected Products
- ISC BIND 9.18.0 through 9.18.32
- ISC BIND 9.20.0 through 9.20.4, and 9.21.0 through 9.21.3
- ISC BIND Subscription Edition 9.18.11-S1 through 9.18.32-S1
Discovery Timeline
- 2025-01-29 - CVE-2024-12705 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-12705
Vulnerability Analysis
The vulnerability resides in BIND 9's DNS-over-HTTPS listener, which carries DNS queries over HTTP/2 framed connections. A remote attacker who can reach the DoH endpoint sends a high volume of crafted HTTP/2 frames. Each frame triggers parser, stream, and queue work inside the resolver process. The cumulative cost of processing this traffic drives CPU utilization toward saturation and inflates memory usage tied to HTTP/2 stream state. Both valid and malformed HTTP/2 traffic produce the effect, so attackers do not need to negotiate working DoH queries. Authentication is not required and the impact is limited to availability.
Root Cause
The issue is classified as [CWE-770]. BIND 9's DoH implementation does not adequately bound the rate or quantity of resources consumed while parsing and tracking inbound HTTP/2 streams. Without effective per-connection or per-client throttling on stream creation, header processing, and request queueing, an attacker controls how much CPU and heap memory the resolver dedicates to a single client.
Attack Vector
Exploitation requires only network reachability to a BIND 9 instance with DoH enabled. The attacker establishes one or more HTTPS connections and floods the resolver with HTTP/2 frames. Sustained traffic degrades or halts DNS resolution for legitimate clients. The vulnerability does not allow code execution, data theft, or integrity tampering. See the ISC CVE-2024-12705 advisory for protocol-level technical detail.
Detection Methods for CVE-2024-12705
Indicators of Compromise
- Sharp increases in named CPU consumption coinciding with HTTPS/443 connections to the resolver's DoH endpoint
- Rapid growth in resident memory used by the named process without a corresponding rise in successful query throughput
- Elevated counts of HTTP/2 stream resets, malformed frames, or short-lived TLS sessions in DoH access logs
- Drops in DNS resolution success rate or rising query latency reported by downstream clients
Detection Strategies
- Baseline normal DoH connection counts, HTTP/2 stream rates, and named resource usage, then alert on deviations
- Inspect TLS/HTTP/2 telemetry at the load balancer or reverse proxy fronting BIND for abnormal frame-to-query ratios
- Correlate spikes in source IP connection counts to /dns-query endpoints with DNS service degradation
Monitoring Recommendations
- Export BIND statistics channel metrics into a SIEM or time-series store and alert on memory and CPU thresholds
- Monitor HTTP/2 error codes (PROTOCOL_ERROR, ENHANCE_YOUR_CALM, REFUSED_STREAM) from the DoH listener
- Track per-source-IP request and stream rates to identify abusive clients before resolver saturation
How to Mitigate CVE-2024-12705
Immediate Actions Required
- Upgrade BIND 9 to a fixed release published by ISC for the 9.18, 9.20, 9.21, and 9.18-S1 branches
- If patching cannot occur immediately, disable the DoH listener in named.conf until the upgrade is applied
- Restrict DoH endpoint reachability to known client networks using firewall ACLs or a fronting reverse proxy
Patch Information
ISC has released corrected versions for each affected branch. Refer to the ISC CVE-2024-12705 knowledge base article for fixed version numbers and download locations. NetApp customers should consult NetApp Security Advisory NTAP-20250207-0003 for product-specific guidance.
Workarounds
- Disable DoH by removing http listeners and http clauses from the options and listen-on configuration in named.conf
- Place a hardened HTTP/2 reverse proxy in front of BIND with strict per-connection stream limits and request rate caps
- Apply network-layer rate limiting on TCP/443 toward the resolver to cap concurrent HTTP/2 sessions per source
# Configuration example: temporarily disable DoH in named.conf
options {
# Remove or comment out the http listener block below until patched
# http local-http-server {
# endpoints { "/dns-query"; };
# };
};
# Remove DoH listen-on statements such as:
# listen-on port 443 tls local-tls http local-http-server { any; };
# Reload BIND after editing
rndc reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

