CVE-2016-6171 Knot Dns CVE debrief

Who should care

Operators of Knot DNS deployments, especially slave/secondary DNS servers and teams handling zone transfers (AXFR/IXFR) or dynamic DNS updates (DDNS), should prioritize this issue. Any environment that accepts transfers from remote DNS peers may be exposed to denial-of-service risk.

Technical summary

NVD lists the vulnerable version range as Knot DNS versions before 2.3.0. The weakness is classified as CWE-400 (Uncontrolled Resource Consumption). The reported impact is remote denial of service: large zone transfers can consume memory until the slave server crashes. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, indicating network reachability, low attack complexity, no privileges or user interaction, and high availability impact.

Defensive priority

High. This is a remotely reachable availability risk with no privileges or user interaction required, and it can take down DNS service components that depend on Knot DNS slave behavior.

Recommended defensive actions

• Upgrade Knot DNS to version 2.3.0 or later, which is the first version outside the vulnerable range listed by NVD.
• Review and restrict zone-transfer and dynamic DNS exposure where possible, especially from untrusted or broad network sources.
• Monitor secondary DNS servers for abnormal memory growth or crashes around transfer activity.
• Validate whether internal tooling or automation can generate unusually large zone transfers and set operational safeguards.
• Check vendor release notes and advisories for any additional hardening guidance related to transfer handling.

Evidence notes

The NVD record identifies the affected product as knot-dns and marks versions before 2.3.0 as vulnerable. The NVD reference set includes vendor and technical materials, including Knot release notes, a vendor issue tracker entry, and an operational mailing-list description. The vulnerability is mapped to CWE-400 and scored HIGH with CVSS 8.6.

Official resources