Bind 9

by Internet Systems Consortiumv9.17.12

Last updated Jun 8, 2026

Versatile, classic, complete name server software

Install with winget

$ winget install --id ISC.Bind --exact --version 9.17.12

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

About

BIND 9 has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.

Installers · v9.17.12

Architecture	Type	Scope	Install	Download
x64	ZIP archive	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

25 known CVEs via NVD

medium5.3Patched in wingetCVE-2026-5950affects before 9.18.49, 9.20.23, 9.21.21May 20, 2026
An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 vers...
Patch Vendor advisory
high7.5Patched in wingetCVE-2026-5947affects before 9.20.23, 9.21.22May 20, 2026
Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the "recursive-clients" limit is reached (as would o...
Patch Vendor advisory
high7.5Patched in wingetCVE-2026-5946affects before 9.18.49, 9.20.23, 9.21.22May 20, 2026
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching...
Patch Vendor advisory
high7.4Patched in wingetCVE-2026-3593affects before 9.20.23, 9.21.22May 20, 2026
A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT a...
Patch Vendor advisory
medium5.3Patched in wingetCVE-2026-3592affects before 9.18.49, 9.20.23, 9.21.22May 20, 2026
BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through...
Patch Vendor advisory
high7.5Patched in wingetCVE-2026-3039affects before 9.18.49, 9.20.23, 9.21.22May 20, 2026
BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployment...
Patch Vendor advisory
high7.5Patched in wingetCVE-2023-50868affects before 9.16.48, 9.18.24, 9.19.21Feb 14, 2024
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5...
Vendor advisory
high7.5Patched in wingetCVE-2023-50387affects >=9.19.0 and <=9.19.20Feb 14, 2024
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with ma...
Patch Vendor advisory

Showing 8 of 25. Source: NVD, updated 4h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Frequently asked questions

How do I install Bind 9 on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id ISC.Bind --exact --version 9.17.12. winget downloads the installer from Internet Systems Consortium and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install Bind 9 silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id ISC.Bind --exact 9.17.12 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

How do I uninstall Bind 9 via winget?

Run: winget uninstall --id ISC.Bind --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from Bind 9's Apps & Features entry.

Is Bind 9 free?

Bind 9 is distributed under MPL-2.0. Refer to the publisher (https://www.isc.org/bind/) for the full license terms - Wingetly itself does not charge for installation.

Does Bind 9 work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls Bind 9 directly from the publisher.

How do I keep Bind 9 up to date?

Run winget upgrade --id ISC.Bind --exact, or winget upgrade --all to update everything winget tracks. We index 1 version of Bind 9 from microsoft/winget-pkgs.