CVE-2025-40780 Overview
CVE-2025-40780 is a cryptographic vulnerability affecting ISC BIND 9, one of the most widely deployed DNS server implementations. The vulnerability stems from a weakness in the Pseudo Random Number Generator (PRNG) used by BIND, which allows attackers to predict the source port and query ID values used in DNS queries. This predictability enables sophisticated DNS cache poisoning attacks that can redirect legitimate DNS queries to malicious destinations.
Critical Impact
Successful exploitation allows attackers to poison DNS caches by predicting source ports and query IDs, potentially redirecting users to malicious servers without detection.
Affected Products
- BIND 9 versions 9.16.0 through 9.16.50
- BIND 9 versions 9.18.0 through 9.18.39
- BIND 9 versions 9.20.0 through 9.20.13
- BIND 9 versions 9.21.0 through 9.21.12
- BIND 9-S (Supported Preview) versions 9.16.8-S1 through 9.16.50-S1
- BIND 9-S versions 9.18.11-S1 through 9.18.39-S1
- BIND 9-S versions 9.20.9-S1 through 9.20.13-S1
Discovery Timeline
- 2025-10-22 - CVE-2025-40780 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-40780
Vulnerability Analysis
This vulnerability is classified under CWE-341 (Predictable from Observable State), indicating that the PRNG implementation in BIND produces values that can be predicted by observing the system's state. In the context of DNS security, unpredictable source ports and transaction IDs (query IDs) are critical defenses against cache poisoning attacks—a protection mechanism that has been fundamental to DNS security since the Kaminsky attack disclosure in 2008.
The weakness enables a network-based attacker to significantly reduce the entropy required to successfully inject forged DNS responses. By predicting the source port and query ID combination, an attacker can craft spoofed DNS responses that will be accepted by the vulnerable BIND resolver as legitimate responses from authoritative nameservers.
Root Cause
The root cause lies in the Pseudo Random Number Generator (PRNG) implementation within BIND 9. Under specific circumstances, the PRNG produces predictable values for source port selection and DNS query ID generation. This weakness defeats the entropy-based protections that prevent attackers from blindly guessing the correct port/ID combination needed for successful cache poisoning.
The vulnerability affects the randomness quality of two critical DNS security parameters:
- Source port randomization: Port numbers used for outbound DNS queries
- Query ID (TXID) randomization: 16-bit transaction identifiers in DNS headers
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker positioned to observe and inject network traffic can:
- Analyze DNS query patterns from the target BIND resolver to observe PRNG outputs
- Use the observed values to predict future source port and query ID combinations
- Race legitimate authoritative responses with forged responses containing predicted values
- Successfully poison the DNS cache with malicious records
The vulnerability can be exploited to redirect traffic for arbitrary domain names to attacker-controlled infrastructure, enabling phishing, malware distribution, and man-in-the-middle attacks. The scope is changed, meaning successful exploitation can impact resources beyond the vulnerable component itself—affecting all clients relying on the poisoned DNS cache.
The attack requires network access to send packets to and from the vulnerable DNS resolver. For detailed technical analysis, refer to the ISC CVE-2025-40780 Advisory.
Detection Methods for CVE-2025-40780
Indicators of Compromise
- Unusual patterns in DNS query source ports that exhibit predictable sequences
- Multiple DNS responses received for single queries (indicating race condition attempts)
- Unexpected changes in cached DNS records, particularly for high-value domains
- Anomalous DNS traffic patterns from external sources targeting your resolver
Detection Strategies
- Monitor BIND resolver logs for signs of cache poisoning attempts, such as rejected responses with incorrect port/ID combinations
- Implement DNS response validation using DNSSEC to detect forged responses regardless of successful ID prediction
- Deploy network intrusion detection signatures that identify DNS spoofing patterns
- Analyze DNS query/response ratios for anomalies indicating injection attempts
Monitoring Recommendations
- Enable and review BIND query logging to establish baselines and detect anomalies
- Monitor for unexpected TTL changes in cached records that may indicate cache poisoning
- Track DNS resolution patterns for critical domains and alert on unexpected IP address changes
- Implement DNS firewall rules to restrict resolver access to authorized networks only
How to Mitigate CVE-2025-40780
Immediate Actions Required
- Upgrade BIND to the latest patched version as specified in the ISC security advisory
- Restrict DNS resolver access to trusted networks only using firewall rules and BIND ACLs
- Enable DNSSEC validation on resolvers to cryptographically verify DNS responses
- Consider implementing DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) for additional transport security
Patch Information
ISC has released security updates addressing this vulnerability. Organizations should upgrade to the latest available BIND version for their respective branch. Consult the ISC CVE-2025-40780 Advisory for specific patched version numbers and upgrade instructions.
Additional information about this vulnerability was disclosed on the OpenWall OSS-Security Mailing List.
Workarounds
- Enable DNSSEC validation to cryptographically verify DNS responses and reject forged data
- Implement strict ACLs to limit which clients can query the resolver
- Deploy rate limiting on DNS responses to slow down cache poisoning race conditions
- Consider running BIND behind a DNS firewall or proxy that provides additional response validation
# Configuration example - Enable DNSSEC validation and restrict access
# Add to named.conf options block
options {
dnssec-validation auto;
allow-query { trusted-networks; };
allow-recursion { internal-clients; };
rate-limit {
responses-per-second 10;
};
};
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
