CVE-2025-5994 Overview
A multi-vendor DNS cache poisoning vulnerability named "Rebirthday Attack" has been discovered in caching resolvers that support EDNS Client Subnet (ECS). This vulnerability affects Unbound DNS resolver when compiled with ECS support using the --enable-subnet flag and configured to send ECS information along with queries to upstream name servers. The attack exploits the birthday paradox principle to match DNS transaction IDs and inject malicious DNS responses into the resolver cache.
Resolvers supporting ECS must segregate outgoing queries to accommodate different outgoing ECS information. This architectural requirement re-opens resolvers to birthday paradox attacks, allowing adversaries to attempt matching DNS transaction IDs in order to cache non-ECS poisonous replies. Successful exploitation could lead to DNS cache poisoning, redirecting legitimate traffic to attacker-controlled infrastructure.
Critical Impact
Attackers can poison DNS resolver caches via network-based attacks without authentication, potentially redirecting users to malicious servers for phishing, malware distribution, or man-in-the-middle attacks.
Affected Products
- Unbound DNS Resolver (compiled with --enable-subnet ECS support)
- Unbound configurations using send-client-subnet option
- Unbound configurations using client-subnet-zone or client-subnet-always-forward options
Discovery Timeline
- 2025-07-16 - CVE-2025-5994 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-5994
Vulnerability Analysis
This vulnerability targets the fundamental design of EDNS Client Subnet (ECS) implementations in DNS resolvers. When ECS is enabled, resolvers must maintain separate query states for different client subnets, effectively multiplying the number of outstanding queries. This increased query volume creates more opportunities for an attacker to guess the correct DNS transaction ID through statistical probability.
The "Rebirthday Attack" leverages the birthday paradox—a mathematical principle stating that in a set of randomly chosen values, the probability of collisions increases dramatically with volume. Traditional DNS cache poisoning defenses rely on the difficulty of guessing the 16-bit transaction ID within a narrow time window. However, with ECS-enabled resolvers handling segregated queries for multiple subnets, attackers gain additional injection opportunities per resolver query cycle.
The vulnerability is classified under CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data), as the resolver may accept poisoned responses that appear legitimate due to transaction ID matching.
Root Cause
The root cause lies in the architectural requirement for ECS-enabled resolvers to maintain separate outgoing query states for different client subnet information. This design decision, while necessary for ECS functionality, inadvertently increases the attack surface by:
- Creating multiple simultaneous pending queries with predictable transaction ID patterns
- Expanding the time window during which malicious responses can be injected
- Reducing the effective entropy of transaction ID matching through statistical probability exploitation
The vulnerability specifically manifests when resolvers are configured with send-client-subnet, client-subnet-zone, or client-subnet-always-forward options, which enable active ECS query forwarding to upstream nameservers.
Attack Vector
The attack operates over the network without requiring authentication or user interaction. An adversary positioned to send DNS responses to the target resolver can flood it with spoofed replies containing malicious DNS records. The attack sequence involves:
- Triggering multiple DNS queries from the vulnerable resolver for a target domain
- Exploiting ECS query segregation to increase the number of outstanding transactions
- Racing legitimate responses with crafted poisonous replies matching predicted transaction IDs
- Successfully injecting malicious cache entries when a transaction ID collision occurs
The network-based attack vector makes this vulnerability particularly concerning for public-facing DNS resolvers and recursive nameservers serving large user populations.
Detection Methods for CVE-2025-5994
Indicators of Compromise
- Unusual volume of DNS responses from unexpected source IP addresses
- DNS cache entries with unexpectedly short or manipulated TTL values
- Anomalous resolver response patterns for popular domains
- Evidence of DNS transaction ID collisions in resolver logs
- Users reporting redirects to suspicious domains for legitimate hostnames
Detection Strategies
- Monitor DNS resolver logs for high volumes of duplicate or near-simultaneous responses
- Implement DNSSEC validation to cryptographically verify response authenticity
- Deploy network intrusion detection rules for anomalous DNS response patterns
- Compare cached DNS records against known-good authoritative responses
- Analyze resolver query/response ratios for statistical anomalies
Monitoring Recommendations
- Enable verbose logging on Unbound resolvers to capture transaction ID patterns
- Configure alerting for cache entry changes on critical domain names
- Implement real-time monitoring of upstream DNS response sources
- Deploy DNS-specific security monitoring tools to detect poisoning attempts
- Establish baseline metrics for normal resolver behavior to identify deviations
How to Mitigate CVE-2025-5994
Immediate Actions Required
- Review Unbound configuration for ECS-related options (send-client-subnet, client-subnet-zone, client-subnet-always-forward)
- Disable ECS functionality if not operationally required by removing the configuration options
- Apply vendor patches as soon as they become available from NLnet Labs
- Enable DNSSEC validation to reject unsigned or incorrectly signed responses
- Consider implementing additional source port randomization if supported
Patch Information
Security patches and detailed mitigation guidance are available from the vendor. Refer to the NLnet Labs CVE-2025-5994 Advisory for official patch information. Debian-based systems should consult the Debian LTS Announcement for package updates.
Organizations running Unbound should upgrade to patched versions as specified in the vendor advisory. The patch addresses the query segregation logic to reduce birthday attack susceptibility while maintaining ECS functionality.
Workarounds
- Disable ECS support by removing --enable-subnet from compilation or disabling related runtime options
- Implement strict egress filtering to limit response sources to legitimate upstream resolvers
- Deploy DNSSEC validation to cryptographically verify response integrity
- Use DNS-over-HTTPS or DNS-over-TLS to encrypt resolver-to-upstream communications
- Consider network segmentation to limit attacker access to resolver infrastructure
# Unbound configuration to disable ECS forwarding (temporary workaround)
# Comment out or remove ECS-related options in unbound.conf
# Before (vulnerable configuration):
# send-client-subnet: 0.0.0.0/0
# client-subnet-zone: "example.com"
# client-subnet-always-forward: yes
# After (mitigated configuration):
# Ensure no ECS forwarding options are active
# Enable DNSSEC validation as additional protection
module-config: "validator iterator"
auto-trust-anchor-file: "/var/lib/unbound/root.key"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
