Created on 11-14-2019 02:30 AM Edited on 01-07-2024 10:13 PM By Anthony_E
Description
This article describes that some public scanning tools report that FortiOS is vulnerable to ISC BIND DNS vulnerabilities.
the vulnerabilities in such reports can be (but not limited to):
CVE-2006-0987- DNS Server Spoofed Request Amplification DDoS
CVE-2007-0493: dereferencing freed fetch context
CVE-2008-0122: Buffer overflow in inet_network()
CVE-2009-0696: BIND Dynamic Update DoS
Scope
FortiOS DNS query service.
Solution
This is a False Alarms: FortiOS DNS query service in proxy mode will simply
forward DNS queries to the target DNS server; thus the real vulnerabilities are at the target DNS servers.
FortiOS is not using ISC BIND 3rd party software.
To verify/validate, change FortiOS DNS server settings to non-recursive
mode:
config system dns-server
edit [interface]
set mode non-recursive
next
end
and re-apply the scanning, these ISC BIND related vulnerabilties should not
show up anymore.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.