Unbound 1.24.1 released

We are pleased to announce the release of version 1.24.1 of the Unbound recursive DNS resolver.

This security release fixes CVE-2025-11411.

Several multi-vendor cache poisoning vulnerabilities have been discovered in caching resolvers for non-DNSSEC protected data.

Unbound is vulnerable for some of these cases that could lead to domain hijacking.

Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. If a malicious actor is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache for the delegation point.

Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University for discovering and responsibly disclosing the vulnerability.

For a full list of changes, binary and source packages, see the download page.