{"id":55362,"date":"2024-02-14T15:00:35","date_gmt":"2024-02-14T15:00:35","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35529\/Just-One-Bad-Packet-Can-Bring-Down-A-Vulnerable-DNS-Server-Thanks-To-DNSSEC.html"},"modified":"2024-02-14T15:00:35","modified_gmt":"2024-02-14T15:00:35","slug":"just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/","title":{"rendered":"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC"},"content":{"rendered":"<p><span class=\"label\">Updated<\/span> A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification.<\/p>\n<p>That would make it trivial to take down a DNSSEC-validating DNS resolver that has yet to be patched, upsetting all the clients relying on that service and make it seem as though websites and apps were offline.<\/p>\n<p>The academics who found this flaw \u2013 associated with the German National Research Center for Applied Cybersecurity (ATHENE) in Darmstadt \u2013 claimed DNS server software makers briefed about the vulnerability described it as &#8220;the worst attack on DNS ever discovered.&#8221;<\/p>\n<p>Identified by Professor Haya Schulmann and Niklas Vogel of the Goethe University Frankfurt; Elias Heftrig of Fraunhofer SIT; and Professor Michael Waidner at the Technical University of Darmstadt and Fraunhofer SIT, the security hole has been named <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.presseportal.de\/pm\/173495\/5713546\">KeyTrap<\/a>, designated <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/kb.isc.org\/docs\/cve-2023-50387\">CVE-2023-50387<\/a>, and assigned a CVSS severity rating of 7.5 out of 10.<\/p>\n<p>As of December 2023, approximately 31 percent of web clients worldwide used DNSSEC-validating DNS resolvers and, like other applications relying on those systems, would feel the effects of a KeyTrap attack: With those DNS servers taken out by the flaw, clients relying on them would be unable to resolve domain and host names to IP addresses to use, resulting in a loss of connectivity.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The researchers said lone DNS packets exploiting KeyTrap could stall public DNSSEC-validated DNS services, such as those provided by Google and Cloudflare, by making them do calculations that overtax server CPU cores.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>This disruption of DNS could not only deny people&#8217;s access to content but could also interfere with other systems, including spam defenses, cryptographic defenses (PKI), and inter-domain routing security (RPKI), the researchers assert.<\/p>\n<p>&#8220;Exploitation of this attack would have severe consequences for any application using the Internet including unavailability of technologies such as web-browsing, e-mail, and instant messaging,&#8221; they claimed. &#8220;With KeyTrap, an attacker could completely disable large parts of the worldwide internet.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>A non-public technical paper on the vulnerability provided to <em>The Register<\/em>, titled, &#8220;The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS,&#8221; describes how an assault would be carried out. It basically involves asking a vulnerable DNSSEC-validating DNS resolver to look up an address that causes the server to contact a malicious nameserver that sends a reply that causes the resolver to consume most or all of its own CPU resources.<\/p>\n<blockquote class=\"pullquote\" readability=\"6\">\n<p>With KeyTrap, an attacker could completely disable large parts of the worldwide Internet<\/p>\n<\/blockquote>\n<p>&#8220;To initiate the attacks our adversary causes the victim resolver to look up a record in its malicious domain,&#8221; the due-to-be-published paper states. &#8220;The attacker\u2019s nameserver responds to the DNS queries with a malicious record set (RRset), according to the specific attack vector and zone configuration.&#8221;<\/p>\n<p>The attack works, the paper explains, because <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/datatracker.ietf.org\/doc\/rfc2535\/\">the DNSSEC spec<\/a> follows <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.cs.tufts.edu\/comp\/117\/assts\/postel\">Postel\u2019s Law<\/a>: &#8220;The nameservers should send all the available cryptographic material, and the resolvers should use any of the cryptographic material they receive until the validation is successful.&#8221;<\/p>\n<p>This requirement, to ensure availability, means DNSSEC-validating DNS resolvers can be forced to do a lot of work if presented with colliding key-tags and colliding keys that must be validated.<\/p>\n<p>&#8220;Our complexity attacks are triggered by feeding the DNS resolvers with specially crafted DNSSEC records, which are constructed in a way that exploits validation vulnerabilities in cryptographic validation logic,&#8221; the paper explains.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;When the DNS resolvers attempt to validate the DNSSEC records they receive from our nameserver, they get stalled. Our attacks are extremely stealthy, being able to stall resolvers between 170 seconds and 16 hours (depending on the resolver software) with a single DNS response packet.&#8221;<\/p>\n<p>The ATHENE boffins said they worked with all relevant vendors and major public DNS providers to privately disclose the vulnerability so a coordinated patch release would be possible. The last patch was finished today.<\/p>\n<p>&#8220;We are aware of this vulnerability and rolled out a fix in coordination with the reporting researchers,&#8221; a Google spokesperson told <em>The Register<\/em>. &#8220;There is no evidence of exploitation and no action required by users at this time.&#8221;<\/p>\n<p>Network research lab NLnet Labs published <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/nlnetlabs.nl\/downloads\/unbound\/patch_CVE-2023-50387_CVE-2023-50868.diff\">a patch<\/a> for its Unbound DNS software, addressing two vulnerabilities, one of which is KeyTrap. The other bug fixed, <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/nlnetlabs.nl\/downloads\/unbound\/CVE-2023-50387_CVE-2023-50868.txt\">CVE-2023-50868<\/a>, referred to as the NSEC3 vulnerability, also allows denial of service through CPU exhaustion.<\/p>\n<p>&#8220;The KeyTrap vulnerability works by using a combination of keys (also colliding keys), signatures and number of RRSETs on a malicious zone,&#8221; NLnet Labs <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/nlnetlabs.nl\/news\/2024\/Feb\/13\/unbound-1.19.1-released\/\">wrote<\/a>. &#8220;Answers from that zone can force a DNSSEC validator down a very CPU intensive and time costly validation path.&#8221;<\/p>\n<p>PowerDNS, meanwhile, has an update <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/doc.powerdns.com\/recursor\/security-advisories\/powerdns-advisory-2024-01.html\">here<\/a> to thwart KeyTrap exploitation.<\/p>\n<p>&#8220;An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor\u2019s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service,&#8221; the team wrote. &#8220;Note that any resolver following the RFCs can be impacted, this is not a problem of this particular implementation.&#8221;<\/p>\n<p>The fix for CVE-2023-50387 is just <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/seclists.org\/oss-sec\/2024\/q1\/125\">one of six<\/a> vulnerabilities addressed in Internet Systems Consortium&#8217;s BIND 9 DNS software. The others include:<\/p>\n<ul>\n<li><a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/kb.isc.org\/docs\/cve-2023-4408\">CVE-2023-4408<\/a>: Parsing large DNS messages may cause excessive CPU load;<\/li>\n<li><a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/kb.isc.org\/docs\/cve-2023-5517\">CVE-2023-5517<\/a>: Querying RFC 1918 reverse zones may cause an assertion failure when &#8220;nxdomain-redirect&#8221; is enabled;<\/li>\n<li><a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/kb.isc.org\/docs\/cve-2023-5679\">CVE-2023-5679<\/a>: Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution;<\/li>\n<li><a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/kb.isc.org\/docs\/cve-2023-6516\">CVE-2023-6516<\/a>: Specific recursive query patterns may lead to an out-of-memory condition;<\/li>\n<li><a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/kb.isc.org\/docs\/cve-2023-50868\">CVE-2023-50868<\/a>: Preparing an NSEC3 closest encloser proof can exhaust CPU resources.<\/li>\n<\/ul>\n<p>The requirements for the KeyTrap vulnerability date all the way back to 1999 from the now obsolete RFC 2535, according to the research team that identified it. And by 2012, these elements appeared in <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/datatracker.ietf.org\/doc\/rfc6781\/\">RFC 6781<\/a> and <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/datatracker.ietf.org\/doc\/rfc6840\/\">RFC 6840<\/a>, the implementation requirements for DNSSEC validation.<\/p>\n<blockquote class=\"pullquote\" readability=\"5\">\n<p>One packet suffices. You don&#8217;t have to do more than that to disconnect an entire network<\/p>\n<\/blockquote>\n<p>Since at least August 2000 \u2013 more than 23 years ago \u2013 KeyTrap has been present in the BIND 9 DNS resolver, and it surfaced seven years later in the Unbound DNS resolver.<\/p>\n<p>Dr Haya Shulman, a professor of computer science and one of the academics behind the KeyTrap research, told <em>The Register<\/em> in a phone interview the attack is simple and can be carried out by encoding it in a <a href=\"https:\/\/dnsinstitute.com\/documentation\/dnssec-guide\/ch04s02.html#signing-verify-zone-file\">zone file<\/a>.<\/p>\n<p>&#8220;The vulnerability is actually something that&#8217;s recommended in the DNSSEC standard,&#8221; Prof Shulman explained. &#8220;One packet suffices. You don&#8217;t have to do more than that to disconnect an entire network.&#8221;<\/p>\n<p>Prof Shulman said the patches that have been issued by various vendors break the standard. &#8220;The problem is this attack is not easy to solve,&#8221; she said. &#8220;If we launch it against a patched resolver, we still get 100 percent CPU usage but it can still respond.&#8221;<\/p>\n<p>The ATHENE team observed that while the flaw remained undetected for decades, its obscurity isn&#8217;t surprising because DNSSEC validation requirements are so complicated. So too is mitigating the vulnerability and completely eliminating it will require a revision of the DNSSEC standard. \u00ae<\/p>\n<h3 class=\"crosshead\">Updated to add on February 16<\/h3>\n<p>You can now download the <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.athene-center.de\/fileadmin\/content\/PDF\/Technical_Report_KeyTrap.pdf\">technical paper here<\/a> as a PDF.<\/p>\n<p>Also, Akamai exec Sven Dummer thanked the research team for not only discovering the flaw but also working with DNS providers and software makers to coordinate the patching and redeployment of systems to avoid mass exploitation.<\/p>\n<p>&#8220;You might not know it, but the global internet dodged a bullet: KeyTrap is a vulnerability in key infrastructure that is needed for the internet to function \u2014 and one of the worst ever discovered,&#8221; he <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/posts\/svenhdummer_cve-2023-50387-and-cve-2023-50868-dns-exploit-activity-7164147641054949377-4qwQ\/\">opined<\/a>.<\/p>\n<p>&#8220;With KeyTrap, an attacker could completely disable large parts of the worldwide internet.&#8221;<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35529\/Just-One-Bad-Packet-Can-Bring-Down-A-Vulnerable-DNS-Server-Thanks-To-DNSSEC.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[10859],"class_list":["post-55362","post","type-post","status-publish","format-standard","hentry","category-packet-storm","tag-headlinednsdenial-of-serviceflaw"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-02-14T15:00:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC\",\"datePublished\":\"2024-02-14T15:00:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/\"},\"wordCount\":1282,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"keywords\":[\"headline,dns,denial of service,flaw\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/\",\"name\":\"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-02-14T15:00:35+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,dns,denial of service,flaw\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinednsdenial-of-serviceflaw\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/","og_locale":"en_US","og_type":"article","og_title":"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-02-14T15:00:35+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC","datePublished":"2024-02-14T15:00:35+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/"},"wordCount":1282,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","keywords":["headline,dns,denial of service,flaw"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/","url":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/","name":"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-02-14T15:00:35+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/patches&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZdIVMcd7lBxC679WvO03dgAAAJI&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/just-one-bad-packet-can-bring-down-a-vulnerable-dns-server-thanks-to-dnssec\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,dns,denial of service,flaw","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinednsdenial-of-serviceflaw\/"},{"@type":"ListItem","position":3,"name":"Just One Bad Packet Can Bring Down A Vulnerable DNS Server Thanks To DNSSEC"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55362","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=55362"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/55362\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=55362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=55362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=55362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}