For years, cryptographer Daniel J. Bernstein has touted his djbdns as so secure he promised a $1,000 bounty to anyone who can poke holes in the domain name resolution software.
Now it could be time to pay up, as researchers said they’ve uncovered several vulnerabilities in the package that could lead end users to fraudulent addresses under the control of attackers.
djbdns is believed to be the second most popular DNS program, behind Bind. The bugs show that even the most secure DNS packages are susceptible to attacks that could visit chaos on those who use them.
One of the bugs, disclosed last week by researcher Kevin Day, exploits a known vulnerability in the DNS system that allows attackers to poison domain name system caches by flooding a server with multiple requests for the same address.
Source: The Register