For a number of years now BIND is the most used DNS server on the internet. It is the standard system for name resolutions on UNIX platforms and is used in 10 of the 13 root servers of the Name Domain System on the internet. Basically, it is one of the main function of the entire Internet.
With this in mind, it isn't everyday that someone finds a vulnerability (CVE-2016-2776) rated HIGH in one of the most used services on the internet (https://kb.isc.org/article/AA-01419/0).
The tests done by ISC (Internet Systems Consortium) discovered a critical error when building a response. Additionally, an advisory in the knowledge base of ISC recognizes that an attack can exploit the vulnerability remotely and probably because of that it receives a HIGH score in terms of severity.
One thing that caught our attention from the ISC Advisory was the following quote:
This assertion can be triggered even if the apparent source address isn't allowed to make queries (i.e. doesn't match 'allow-query')We decided to dedicate a little bit of time to investigate the main cause of this error with the goal of seeing the root cause of the Denial of Service.