Executive Summary
CVE-2026-42960 is a maximum-severity (CVSS 10.0) vulnerability in NLnet Labs Unbound that enables DNS cache poisoning through the injection of promiscuous records into the authority section of DNS replies. An adversary positioned to provide crafted DNS responses — through a malicious nameserver or a network-level interception — can trick Unbound into caching forged records, causing all downstream clients to resolve domain names to attacker-controlled addresses.
This vulnerability affects all versions of Unbound up to and including 1.25.0 and requires immediate patching.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-42960 |
| CVSS Score | 10.0 (Critical) |
| Type | DNS Cache Poisoning |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Affected Versions | Unbound all versions ≤ 1.25.0 |
| Patch Available | Yes — upgrade to Unbound 1.25.1 or later |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| NLnet Labs Unbound | All versions up to and including 1.25.0 | Upgrade to 1.25.1+ |
Technical Analysis
Root Cause
DNS responses can include an authority section alongside the answer section. The authority section is intended to provide referral information (e.g., pointing to more authoritative nameservers). Unbound versions through 1.25.0 fail to adequately validate whether records appearing in the authority section are in-bailiwick — i.e., legitimately within the zone the queried nameserver is authoritative for.
An attacker can include promiscuous RRSets (resource record sets unrelated to the queried zone) in the authority section of a crafted DNS reply. Unbound processes these records and caches them as valid, poisoning its cache with attacker-supplied DNS mappings.
Attack Flow
1. Client queries Unbound for "target.com" (legitimate domain)
2. Attacker's or compromised nameserver responds with legitimate answer
3. DNS reply also includes authority section with crafted, out-of-zone records:
e.g., "bank.com. IN A 198.51.100.99" (attacker's IP)
4. Unbound accepts and caches the authority-section records without validating bailiwick
5. All subsequent queries for "bank.com" from any client using this resolver
resolve to the attacker's IP: 198.51.100.99
6. Attacker presents a spoofed HTTPS certificate (or strips TLS) for credential harvestWhy This Is Dangerous
DNS cache poisoning at the resolver level is particularly severe because:
- Affects all downstream clients — every host using the poisoned resolver gets the forged answer
- Persistent — cached records survive until TTL expiry (hours to days)
- Bypasses DNSSEC — if the poisoned records appear in an unsigned zone, DNSSEC does not help
- Enables MITM at scale — a single compromised resolver can affect entire enterprise networks or ISP subscribers
- Chained exploits — poisoned DNS enables credential theft, session hijacking, OAuth token capture, and malware delivery
Impact Assessment
| Impact Area | Description |
|---|---|
| DNS Hijacking | Any domain can be redirected to attacker infrastructure |
| Credential Theft | Forged logins for banking, SSO, email, and SaaS services |
| Malware Delivery | Software update servers redirected to serve malicious binaries |
| Certificate Bypass | Combined with spoofed TLS certificates or HSTS downgrade attacks |
| Enterprise-wide Impact | All hosts using the resolver are affected simultaneously |
| ISP-scale Exposure | ISP-deployed Unbound instances expose millions of subscribers |
Immediate Remediation
Step 1: Upgrade Unbound Immediately
# Check current version
unbound -V
# Debian / Ubuntu
sudo apt update && sudo apt install unbound
# RHEL / CentOS / AlmaLinux / Rocky
sudo dnf update unbound
# Alpine Linux (common in containers)
apk upgrade unbound
# Verify upgraded version
unbound -V | grep "Version"
# Should show 1.25.1 or laterStep 2: Flush the Cache After Upgrade
Poison may already be in the cache. Flush after upgrading:
# Flush entire Unbound cache
unbound-control flush_zone .
# Or flush specific poisoned zones if known
unbound-control flush_zone bank.com
unbound-control flush_zone example.comStep 3: Enable DNSSEC Validation
DNSSEC-signed zones are protected from cache poisoning if validation is enforced:
# /etc/unbound/unbound.conf
server:
# Ensure DNSSEC validation is enabled (default in modern Unbound)
val-permissive-mode: no
auto-trust-anchor-file: "/var/lib/unbound/root.key"
Step 4: Restrict Upstream Resolvers
Limit the nameservers Unbound forwards to or queries to reduce exposure:
server:
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes # 0x20 encoding adds entropy against poisoning
Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected resolution results for well-known domains | Cache may be poisoned |
| DNS responses arriving from unexpected source IPs | Potential MITM or spoofed responses |
| Elevated SERVFAIL / REFUSED counts | Post-exploitation cache corruption |
| Client TLS certificate warnings for major services | Forged certs combined with DNS redirect |
# Query Unbound's cache for suspicious records
unbound-control dump_cache | grep -E "(bank|auth|login|sso)\." | head -20
# Check what Unbound currently resolves for critical domains
dig @127.0.0.1 github.com +short
dig @127.0.0.1 login.microsoftonline.com +short
# Compare against authoritative resolution
dig @8.8.8.8 github.com +shortPost-Remediation Checklist
- Upgrade all Unbound instances to 1.25.1 or later immediately
- Flush the cache on all upgraded instances
- Enable DNSSEC hardening directives (harden-glue, harden-dnssec-stripped)
- Enable 0x20 encoding (
use-caps-for-id: yes) as an additional anti-poisoning measure - Audit resolution logs for signs of anomalous answers prior to patching
- Check containers and Kubernetes — CoreDNS and k8s-embedded resolvers may use Unbound
- Notify security operations if anomalous DNS resolutions are found — incident response may be needed