CVE-2025-11411 is a vulnerability in NLnet Labs Unbound DNS resolver software, affecting versions up to and including 1.24.1. The issue stems from Unbound's acceptance of unsolicited NS RRSets (Name Server Resource Record Sets) in DNS responses, which are typically used to update the resolver's delegation information for DNS zones. Normally, these NS RRSets are trusted when they come as part of authoritative delegation data. However, Unbound incorrectly accepts extraneous NS RRSets included in the authority section of DNS replies, even when these are unsolicited and potentially malicious. An attacker can exploit this by injecting spoofed DNS responses containing malicious NS RRSets and their associated address records, possibly leveraging packet spoofing or fragmentation attacks to bypass validation. This causes Unbound to update its cached delegation information with attacker-controlled name servers, effectively hijacking DNS queries for the targeted zone. This vulnerability is categorized under CWE-349, which involves acceptance of extraneous untrusted data alongside trusted data, leading to trust boundary violations. The vulnerability impacts the integrity and potentially the confidentiality of DNS resolution. Unbound 1.24.1 introduced a fix that scrubs unsolicited NS RRSets and their address records from replies to prevent poisoning. Version 1.24.2 further extends this scrubbing to YXDOMAIN and non-referral nodata replies, closing additional attack vectors. The CVSS 4.0 score is 5.7 (medium severity), reflecting the attack vector as adjacent network, low complexity, no privileges required, no user interaction, but with high impact on integrity and scope. No known exploits have been reported in the wild to date. The vulnerability requires an attacker to be able to inject or spoof DNS responses, which may be feasible in certain network environments, such as those lacking proper DNSSEC validation or network-level protections.

For European organizations, this vulnerability poses a significant risk to the integrity and trustworthiness of DNS resolution services if they use affected versions of Unbound. Successful exploitation can lead to domain hijacking, redirecting users to malicious sites, enabling phishing, data interception, or malware distribution. This undermines confidentiality by potentially exposing sensitive communications and integrity by corrupting DNS data. Availability could also be indirectly affected if DNS resolution is disrupted. Organizations relying on Unbound for critical infrastructure, internal DNS resolution, or recursive DNS services may face operational disruptions and reputational damage. Given the widespread use of Unbound in Europe, especially in academic, governmental, and enterprise environments valuing open-source DNS solutions, the impact could be broad. Additionally, attackers exploiting this vulnerability could leverage it for further lateral movement or espionage, particularly in sectors with high-value targets such as finance, energy, and government. The lack of known exploits reduces immediate risk, but the medium severity and ease of exploitation in adjacent networks warrant prompt attention.

To mitigate CVE-2025-11411, European organizations should immediately upgrade all Unbound DNS resolver instances to version 1.24.2 or later, which includes comprehensive fixes for unsolicited NS RRSet scrubbing. Network administrators should enforce strict network segmentation and filtering to prevent spoofed DNS packets from untrusted sources, including implementing ingress and egress filtering (BCP 38) to reduce IP spoofing risks. Deploying DNSSEC validation on resolvers can help detect and reject forged DNS data, although this vulnerability targets delegation data acceptance and may require careful configuration. Monitoring DNS resolver logs for unusual NS RRSet updates or unexpected delegation changes can provide early detection of exploitation attempts. Organizations should also review and harden fragmentation handling in network devices to prevent fragmentation-based spoofing attacks. Regular vulnerability scanning and patch management processes must include Unbound components. Finally, educating network security teams about this specific threat and its exploitation vectors will improve incident response readiness.