The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-1737

CVE-2024-1737: BIND 9 DNS Performance DoS Vulnerability

CVE-2024-1737 is a denial of service vulnerability in BIND 9 DNS servers that causes performance degradation when handling large numbers of resource records. This article covers technical details, affected versions, and mitigation.

Published: January 28, 2026

CVE-2024-1737 Overview

CVE-2024-1737 is a resource exhaustion vulnerability affecting ISC BIND 9, one of the most widely deployed DNS server implementations. The vulnerability occurs in resolver caches and authoritative zone databases when handling hostnames with significant numbers of Resource Records (RRs). When a hostname accumulates large numbers of RRs of any record type (RTYPE), the DNS server experiences degraded performance during content addition, updates, and client query handling operations.

This weakness (CWE-770: Allocation of Resources Without Limits or Throttling) can be exploited remotely over the network without requiring any authentication or user interaction, potentially causing denial of service conditions on affected DNS infrastructure.

Critical Impact

Attackers can remotely degrade DNS server performance by exploiting RRset management inefficiencies, potentially causing service disruption for organizations relying on affected BIND 9 installations.

Affected Products

  • BIND 9 versions 9.11.0 through 9.11.37
  • BIND 9 versions 9.16.0 through 9.16.50
  • BIND 9 versions 9.18.0 through 9.18.27
  • BIND 9 versions 9.19.0 through 9.19.24
  • BIND 9 Supported Preview Edition 9.11.4-S1 through 9.11.37-S1
  • BIND 9 Supported Preview Edition 9.16.8-S1 through 9.16.50-S1
  • BIND 9 Supported Preview Edition 9.18.11-S1 through 9.18.27-S1

Discovery Timeline

  • 2024-07-23 - CVE-2024-1737 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-1737

Vulnerability Analysis

This vulnerability stems from how BIND 9 handles Resource Record sets (RRsets) for individual hostnames. When a single hostname accumulates a large number of Resource Records—regardless of record type—the internal data structures used by BIND's resolver cache or authoritative zone database become inefficient to process.

The performance degradation manifests in two primary scenarios: during content updates (when new RRs are added or existing ones modified) and when processing client DNS queries for hostnames with large RRsets. This behavior can be triggered remotely by an attacker who crafts DNS responses or zone data containing excessive RRs for targeted hostnames.

The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating that BIND fails to properly constrain the resources consumed when managing large RRsets, leading to computational overhead that degrades overall server performance.

Root Cause

The root cause lies in BIND 9's internal algorithms for managing RRset data structures. When processing hostnames with unusually large numbers of associated Resource Records, the time complexity of operations such as insertion, update, and lookup increases significantly. The lack of effective limits on RRset sizes allows attackers to force the server into computationally expensive operations, consuming CPU cycles and memory resources that should be available for legitimate DNS query processing.

Attack Vector

The vulnerability is exploitable via network-based attacks targeting BIND 9 DNS servers. An attacker can exploit this vulnerability by:

  1. Cache Poisoning Preparation: Sending crafted DNS responses that populate the resolver cache with hostnames containing excessive RRs
  2. Zone Transfer Exploitation: If zone transfers are permitted, uploading zone data with hostnames containing large RRsets
  3. Recursive Query Abuse: Triggering the resolver to cache responses from malicious authoritative servers that return oversized RRsets

The attack requires no authentication and no user interaction, making it particularly dangerous for internet-facing DNS infrastructure.

The vulnerability allows remote attackers to degrade DNS server performance by exploiting the RRset management algorithm. When a hostname with an excessive number of Resource Records is queried or updated, the server's internal data structure operations become computationally expensive. This can be achieved through crafted DNS responses that poison the resolver cache with hostnames containing numerous RRs. For detailed technical analysis and proof-of-concept scenarios, refer to the ISC CVE-2024-1737 Details advisory.

Detection Methods for CVE-2024-1737

Indicators of Compromise

  • Unusual CPU utilization spikes on BIND 9 DNS servers during query processing
  • Increased DNS query response latency for specific hostnames
  • Memory consumption growth in named process without corresponding traffic increase
  • DNS server logs indicating slow query processing or timeout warnings

Detection Strategies

  • Monitor BIND 9 server performance metrics for anomalous CPU and memory usage patterns
  • Implement DNS query logging and analyze for hostnames with unusually large response sizes
  • Configure threshold-based alerting for DNS query latency exceeding normal baselines
  • Review resolver cache statistics for hostnames accumulating abnormal RRset counts

Monitoring Recommendations

  • Deploy network monitoring to detect DNS responses containing excessive Resource Records
  • Utilize BIND's built-in statistics channels to track RRset sizes and cache performance
  • Implement DNS traffic analysis to identify potential cache poisoning attempts
  • Configure SentinelOne Singularity platform to monitor named process behavior for resource exhaustion indicators

How to Mitigate CVE-2024-1737

Immediate Actions Required

  • Upgrade BIND 9 to the latest patched version addressing CVE-2024-1737
  • Review DNS server configurations for unnecessary exposure to untrusted networks
  • Implement rate limiting on DNS queries to reduce attack surface
  • Consider deploying DNS firewalls or response policy zones (RPZ) to filter malicious responses

Patch Information

ISC has released security updates addressing this vulnerability. Administrators should upgrade to patched versions as documented in the ISC CVE-2024-1737 Details advisory. Additionally, ISC provides guidance on implementing RRset limits in the ISC RRSET Limits Guidance documentation.

Organizations running BIND 9 on NetApp systems should also consult the NetApp Security Advisory NTAP-20240731-0003 for platform-specific guidance.

Workarounds

  • Implement RRset size limits as described in ISC's RRSET limits guidance documentation
  • Configure response rate limiting (RRL) to mitigate the impact of cache poisoning attempts
  • Restrict zone transfers to authorized secondary servers only
  • Consider deploying upstream DNS filtering to block responses with abnormal RRset sizes
bash
# Configuration example - Enable Response Rate Limiting in BIND 9
# Add to named.conf options block
options {
    rate-limit {
        responses-per-second 10;
        window 5;
        slip 2;
        log-only no;
    };
};

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechBind
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.29%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-770
  • Technical References
  • Openwall OSS-Security Update
  • Openwall OSS-Security Notification
  • ISC CVE-2024-1737 Details
  • ISC RRSET Limits Guidance
  • NetApp Security Advisory NTAP-20240731-0003
  • Related CVEs
  • CVE-2026-1519: BIND DNS Resolver DoS Vulnerability
  • CVE-2026-3119: BIND 9 DNS Server DoS Vulnerability
  • CVE-2025-13878: BIND 9 DNS Server DoS Vulnerability
  • CVE-2025-8677: BIND 9 DNS DoS Vulnerability via DNSKEY
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English