Unbound ECS: Rebirthday Attack cache poisoning in DNS resolvers with EDNS Client Subnet (CVE-2025-5994) #shorts

Summary

Welcome to today's security brief. We're discussing CVE-2025-5994, also known as the 'Rebirthday Attack'. This is a critical cache poisoning vulnerability that impacts DNS resolvers using Unbound with EDNS Client Subnet support. If left unpatched, attackers can exploit the birthday paradox to inject malicious DNS responses and poison resolver caches.

Product details

The issue was published on July 16, 2025, by NLnet Labs. It affects Unbound versions from 1.6.2 up to, but not including, 1.23.0, when compiled with --enable-subnet and configured to send ECS data. Multiple Linux distributions have released updates: Fedora 42 has issued a critical Unbound update, Oracle Linux 10 and 9 have rolled out important security patches, and Oracle Linux 8 has published an important DoS update to address CVE-2025-5994.

Vulnerability type summary

This is classified under CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data. In plain terms, the resolver fails to segregate queries with different ECS fields, allowing attackers to inject forged DNS replies and poison the cache by guessing the transaction ID using a birthday paradox approach.

Details of the vulnerability

Resolvers that support EDNS Client Subnet (ECS) attach part of the client's IP to outgoing queries. When Unbound is built with --enable-subnet and any of the send-client-subnet, client-subnet-zone or client-subnet-always-forward options are active, it doesn’t isolate queries by subnet. An attacker can flood the resolver with spoofed responses, leveraging the statistical collision probability of the DNS transaction ID to slip in a malicious answer. Once accepted, the poisoned record stays in cache, redirecting legitimate queries to attacker-controlled addresses.

Conclusion

To mitigate CVE-2025-5994, update Unbound to version 1.23.0 or later, or apply your distribution’s available patches immediately. If you rely on ECS for geo-aware DNS responses, verify that query segregation is enforced or disable ECS entirely until the fix is in place. Stay tuned for more security updates and features in our next episode.

Watch the full video on YouTube: CVE-2025-5994

Remediation and exploitation details

This chain involves the following actors

  • Attacker: Crafts and sends spoofed DNS responses to poison resolver cache
  • DNS Resolver Operator: Deploys and maintains the Unbound caching resolver

This following systems are involved

  • Unbound Resolver (Resolves and caches domain name records for clients): Target of cache poisoning
  • Upstream Authoritative Server (Holds the true DNS records for domains): Source of legitimate DNS responses

Attack entry point

  • EDNS Client Subnet Channel: Network path where the resolver sends queries with client subnet data to the authoritative server
  • Resolver Query Interface: Interface where client applications submit DNS lookups to the resolver

Remediation actions

DNS Resolver Operator
Apply vendor update
Unbound Resolver
DNS Resolver Operator
Upgrade to version 1.23.0 or later
Unbound Resolver
DNS Resolver Operator
Disable client subnet options
Unbound Resolver

Exploitation actions

Probe resolver with test queries and inspect replies for client subnet options

Attacker
Detect ECS support
Unbound Resolver
Examples:
  • Send DNS queries for test.example and look for additional bytes indicating subnet data

Force resolver to issue many queries for the same name while varying the client subnet field

Attacker
Trigger repeated queries
Unbound Resolver
Examples:
  • Issue 100 queries for vulnerable.com with different /24 subnet values

For each outgoing ECS query, send a large batch of spoofed UDP replies with randomized transaction identifiers and source ports

Attacker
Spam forged responses
Unbound Resolver
Examples:
  • Use a script to send 65 000 spoofed DNS responses per query attempt

Rely on the birthday paradox to match one forged response to the resolver’s actual query identifiers

Attacker
Exploit birthday collision
Unbound Resolver
Examples:
  • Observe when resolver accepts a spoofed answer that matches both transaction ID and port

Once a forged reply is accepted, malicious DNS records are stored in cache and served to downstream clients

Attacker
Poison resolver cache
Unbound Resolver
Examples:
  • Resolver now returns attacker-owned IP for vulnerable.com on all client requests

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-5994
Description
A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies.
Provider
NLnet Labs
CWE / problem types
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data
Affected Software Versions
NLnet Labs:Unbound:[{'version': '1.6.2', 'status': 'affected', 'lessThan': '1.23.0', 'versionType': 'semver'}]
Date Published
2025-07-16T14:38:22.738Z
Last Updated
2025-07-16T15:42:18.657Z