Contents
1. Understanding the Vulnerability
CVE-2025-40778 exploits a logic flaw within BIND 9’s resolver component, which improperly accepts and caches resource records that were not part of the original DNS query. Under normal circumstances, a recursive resolver queries authoritative nameservers and expects responses containing only pertinent answers, authority data, and additional sections.
However, affected versions of BIND 9 fail to enforce strict bailiwick checking —a security measure that confines records to the authority zone of the queried domain. This oversight allows attackers to inject fraudulent address records (such as A or AAAA records) that redirect users to attacker-controlled infrastructure.