djbdns patches


djbdns has two weaknesses that allow an attacker to poison its cache in very short amounts of time.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4392 to this issue. This is a candidate for inclusion in the CVE list (, which standardizes names for security problems.

What you need to know

Technical information

For more details about how this attack works, see this PDF.

The Patches

Merge identical outgoing requests

This patch prevents a class of poisoning attack by combining identical requests from clients into one outgoing query. Without this patch, an attacker can coerce dnscache into launching hundreds of identical queries at once, making a specific type of attack several orders of magnitude easier.

Make SOA responses cacheable

This patch allows dnscache to store the responses of "SOA" type queries in its cache. SOA responses are the only type of response unconditionally uncached. dnscache uses its internal cache to prevent certain classes of poisoning attack. Attackers may choose to send floods of SOA requests to bypass these protections.


A pre-patched version of djbdns-1.05 is available here if you do not wish to manually patch.


Prior to release, these patches have been tested by several large djbdns users with no reported complaints.

Please note that the "merge similar queries" patch slightly modifies the log file format, due to behaviors unable to be expressed using the current logging system. Very few applications attempt to parse dnscache's log format, and it is believed that most should skip lines they do not understand.


These patches were developed by Jeff King, and are released into the public domain. Validation, testing and help came from David Dagon, Adam Getchell, Dan Kaminsky and David Ulevitch.


No warranty or support is provided for these patches. Feedback, incompatiblities or improvements are welcome. Email is appreciated.

Copyright © 2009 Kevin Day. Patches and documentation may be freely distributed.