Wednesday, June 3, 2026
Latest:
Column

The return of cache poisoning and what it says about our internet risk tolerance

HackAcademy

The internet just received a reminder from its past. BIND and Unbound, the two most important DNS resolvers on the planet, disclosed cache poisoning flaws that echo the 2008 Kaminsky crisis. The new bugs are not a doomsday rerun. They are still serious. They show how easily entropy budgets can erode, how quickly old assumptions resurface, and how fragile trust becomes when an attacker can rewrite what a name means.

Two BIND vulnerabilities, CVE 2025 40778 and CVE 2025 40780, both rated 8.6 in severity, and a related Unbound issue, rated 5.6, create windows where forged DNS answers can slip into resolver caches. One of the BIND issues weakens the randomness that protects source ports and query IDs. The other relaxes acceptance rules for records that arrive in an answer. The result is a classic outcome. A resolver quietly stores the wrong address for a domain. Users are sent to a lookalike destination. The page loads. The padlock shines. The trap is already sprung.

How we got here, again

After 2008, the industry made cache poisoning much harder. Resolvers added source port randomisation to the existing transaction ID. That took the search space from sixty five thousand guesses to billions. Attackers needed to hit the right query ID and the right source port, at the right moment, from the right place on the network. That was the point. Raise entropy. Add timing pressure. Push the exploit into theory.

One of the new BIND flaws trims that entropy. If a pseudo random number generator becomes predictable in specific conditions, an adversary can guess which source port and which query ID will be used. The second flaw lets extra records ride along with an otherwise acceptable answer. If the resolver accepts too much, forged data can be injected. Neither problem hands an attacker a free pass. Both problems move the odds in the wrong direction.

Why this matters beyond CVE numbers

DNS is the internet’s phone book, but it is also its trust fabric. Your browser starts with a name. Your bank app starts with a name. Your update service starts with a name. If a resolver hands back a hostile address, the rest of the stack is forced to make sense of a lie. TLS certificates can help, but attackers are adept at using compromised certs, misconfigurations, shadow domains, and well timed phishing flows to blunt that backstop. In corporate networks, a poisoned entry can route traffic through proxies that strip or inspect encryption. The harm cascades quietly.

There is also a governance lesson. We rely on a small number of resolver engines, operated at internet scale, embedded in carriers, clouds, and enterprise cores. When design mistakes or implementation shortcuts creep in, the blast radius is measured in countries, not in racks. That concentration makes patching discipline and secure defaults more than housekeeping. It makes them public safety.

The good news, and its limits

This is not 2008. Authoritative servers are not broken. Source validation, rate limiting, and firewall rules still add friction for attackers. DNSSEC is widely available. When zones are signed and resolvers validate signatures, forged answers should be rejected. Red Hat’s assessment is sober. Exploitation is non trivial. It requires spoofing at the network level and precise timing. It corrupts cache entries, it does not hand over the server. Important, not critical.

All true. Also incomplete. Many organisations do not validate DNSSEC on their recursive resolvers. Many zones are unsigned, or partially signed, or signed but misconfigured. Many networks still allow spoofed packets to move inside their own borders. Many enterprises depend on older appliances that are not patched promptly, or at all. The difference between Important and Critical is a function of how the real world behaves, not how a lab behaves.

What to do now, and what to change for good

Patch first. Then treat this as a hygiene exam.

  • Update resolvers. Apply the vendor fixes for BIND and Unbound as soon as possible. If your provider runs your recursive layer, confirm they have patched. If you use a third party resolver, verify that validation and rate limiting are enabled.

  • Turn on DNSSEC validation. Validation should be the default on enterprise resolvers. Test it. Monitor for validation failures that indicate upstream misconfigurations. Help your partners fix their zones rather than turning validation off.

  • Raise the bar on entropy. Confirm that source port randomisation is enabled. Review any network address translation or load balancer behaviour that might reduce effective randomness. Entropy lost in the middle is still lost.

  • Clamp down on spoofing. Enforce anti spoofing controls at your borders and between internal segments. BCP 38 and uRPF are not glamorous. They are effective. Cache poisoning relies on forged traffic arriving at the right moment. Do not carry that traffic for an adversary.

  • Segment and tier DNS. Use separate resolvers for production applications, for endpoints, and for development networks. Limit who can query what. Limit who can push configuration changes. Log every change.

  • Instrument for integrity. Monitor resolver caches for sudden shifts in high value domains. Compare answers with trusted out of band lookups. Alert on negative TTL anomalies, on unusually long TTLs, and on records with unexpected glue.

  • Harden the path after DNS. Enforce certificate pinning where it makes sense. Use DNS over TLS or DNS over HTTPS to reduce on path tampering. Require hardware backed authentication for access to admin portals and payment systems. A poisoned lookup should still hit a wall.

  • Rehearse incident response. If a resolver cache is poisoned, know how to flush, how to fail over, and how to communicate. Prepare a playbook that includes customer facing steps. Practice with real names, real tools, and real time limits.

A cultural point, entropy fatigue is real

Security work accumulates exceptions over time. A temporary relaxation becomes a permanent setting. A performance tweak becomes a risk that nobody remembers. A patch window slips, then slips again. Entropy fatigue is the creeping sense that billions of combinations are enough, that nobody will be patient or precise enough to beat the math. The new BIND flaws are a reminder that math can be bent by implementation, and that attackers are patient when the payoff is a gate that guards everything.

We do not need panic. We need posture. Patch the resolvers. Validate DNSSEC. Remove spoofed traffic. Make cache integrity visible and measurable. Then keep the pressure on, because the adversary’s business model depends on us getting bored.

The larger lesson

The internet’s security is a chain of small bets. Random enough numbers. Strict enough parsers. Tight enough defaults. Patches applied before a window opens too wide. When any of those bets waver, the outcomes look like this week’s advisories. Not catastrophic. Not clean. A reminder that resilience is a habit, not a press release.

Cache poisoning never really left. It was boxed in by better randomness, by better rules, and by better habits. It will stay boxed in if we keep those habits fresh.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *