NLnet Labs dropped a security advisory on May 20, 2026, warning that a medium-severity bug in Unbound can keep revoked domain names alive in resolver caches long after they should have expired. The flaw, tracked as CVE-2026-40622, affects Unbound versions 1.16.2 through 1.25.0 and allows attackers to craft responses that override cache time-to-live (TTL) logic, effectively creating persistent ghost domains that remain resolvable even when the authoritative DNS server has pulled the name.

For Windows environments that lean on Unbound as a hardened recursive DNS resolver—whether on Windows Server, as a local caching proxy, or in hybrid cloud deployments—the issue opens a door for phishing pages, malware delivery, and command-and-control domains to stick around after takedowns. The fix lands in Unbound 1.25.1, and administrators should patch immediately.

How ghost domains spin out of control in DNS caches

To grasp what CVE-2026-40622 does, you need to understand how standard DNS caching works. When a recursive resolver like Unbound queries an authoritative server for a record, it stores the answer in its cache until the record’s TTL ticks down to zero. Once the TTL expires, the resolver purges the entry and fetches fresh data the next time a client asks. If a domain gets revoked—say, because it was phishing bank credentials—the authoritative server stops serving that name or returns NXDOMAIN. A properly functioning resolver will drop the cached record when the TTL expires, and subsequent lookups will fail.

Ghost domain attacks subvert that process. Researchers long ago demonstrated that an attacker controlling an authoritative server can keep a domain alive in recursive resolvers even after the delegation is removed, as long as the attacker can send carefully timed responses. The technique abuses the fact that some resolvers will refresh a cached entry’s TTL if they receive a valid, in-bailiwick response during a critical window. This lets a malicious domain outlive its real delegation by weeks or months.

CVE-2026-40622 is a new spin on that class of attacks. According to the advisory, certain response processing flaws in Unbound allow an attacker to extend the cache lifetime of a revoked domain beyond the intended constraints. The precise mechanics haven’t been detailed publicly to prevent exploitation, but the effect is clear: a ghost domain can be kept in the cache long enough to cause harm.

Windows at risk? Yes, and here’s why

Unbound isn’t baked into Windows like the built-in DNS client, but it’s a common choice among admins who want a validating, DNSSEC-capable resolver without the overhead of a full BIND deployment. Many Windows shops run Unbound:

  • As a local forwarding resolver on a Windows server to handle DNS for Active Directory-integrated zones that need secure, high-performance recursion.
  • In Docker containers on Windows for microservices environments where containers use Unbound as a lightweight DNS cache.
  • As a VPN-side resolver in Windows-based remote access setups, where Unbound ensures queried names are validated and filtered.

If your network relies on Unbound in any of those roles, CVE-2026-40622 means that a domain you thought was dead—like a typo-squatted version of a popular banking site—could still be served from cache. A user’s browser would resolve the IP and connect to the attacker’s server without any DNS-level warning.

Even if you don’t use Unbound directly, your upstream ISP or cloud provider might. Big providers often employ Unbound as a building block in their recursive DNS offerings. While they typically patch quickly, the window between disclosure and deployment leaves millions of endpoints potentially reaching ghost domains.

Breakdown of CVE-2026-40622

  • Affected versions: Unbound 1.16.2 through 1.25.0
  • Severity: Medium (base score not yet assigned, but NLnet Labs rates it as a security issue bypassing intended cache behavior)
  • Disclosure date: May 20, 2026
  • Fix: Unbound 1.25.1

The vulnerability sits in how Unbound handles specific DNS response codes and EDE (Extended DNS Errors) during cache refresh operations. An attacker who can induce a condition where Unbound receives a crafted response from an authoritative server—either by owning a malicious server that was once authoritative for the domain, or by spoofing responses if DNSSEC validation is not enforced—can keep the cached record alive past its TTL.

Crucially, the attack does not require a man-in-the-middle position. An attacker who once controlled a domain can maintain its ghost presence in vulnerable resolvers if they can provide ongoing answers from their own infrastructure, even after the delegation point has been updated by the registry. This means domains used in malware campaigns or phishing kits can survive cleanup efforts.

Real-world impact: phishing, malware, and compliance nightmares

Think about the lifecycle of a phishing domain. Security teams detect the scam, alert the registrar, and the domain gets suspended. The authoritative nameservers stop answering for it. Within an hour or two, most recursive resolvers will have expired the cached A record, and the phishing site goes dark. With CVE-2026-40622, attackers can keep that domain alive in vulnerable Unbound resolvers for days or weeks, continuing to harvest credentials from any victims whose DNS path includes a patched-but-unpatched resolver.

Similarly, malware that uses domain-generation algorithms (DGAs) often relies on domains that are intermittently taken down. A ghost domain could provide a consistent callback channel, bypassing sinkholing efforts.

For enterprises that must prove they can block malicious domains—say, under PCI DSS or HIPAA—a ghost domain persisting in a cache despite firewall rules or DNS filter updates creates a compliance gap. Auditors might see a gap between the block list and what the resolver still serves.

Fix and mitigation

NLnet Labs released Unbound 1.25.1 with the patch on May 20, 2026. The changelog entry is brief: “Fix CVE-2026-40622: ghost domain names could be kept in cache longer than intended.” Administrators should upgrade immediately.

If you can’t upgrade right away, consider these workarounds:

  • Reduce cache-min-ttl and cache-max-ttl to aggressive values (e.g., 60 seconds) to limit how long any ghost domain could survive, at the cost of increased DNS traffic.
  • Enable DNSSEC validation if not already active. Ghost domains often rely on response manipulation that valid signatures prevent. Unbound’s DNSSEC validation can stop spoofed responses, forcing attackers to hold the actual signing keys—which are typically revoked along with the domain.
  • Purge the cache immediately after any domain takedown using unbound-control flush <domain> or by reloading the daemon. While manual, this ensures known-malicious domains are evicted quickly.
  • Leverage response policy zones (RPZ) to override any cached records for known ghost domains, forcing them to resolve to a block page or sinkhole.

Windows administrators who run Unbound as a service should check the current version with unbound -v or via the Services console, and download the latest package from NLnet Labs or their package manager (Chocolatey, winget, or vcpkg where available).

A broader look at DNS cache integrity

CVE-2026-40622 isn’t the first ghost domain vulnerability, and it won’t be the last. DNS resolver caching, while essential for performance, has always been a fragile layer. The fundamental tension is between TTL adherence as a hard security boundary and the many exceptions that protocols introduce for efficiency.

In 2012, researchers presented “Ghost Domain Names” at NDSS, showing how resolvers could be tricked into keeping domains alive by exploiting the delegation model. Similar issues later appeared in BIND, Windows DNS Server, and dnsmasq. Each vendor patches them, but new variations emerge because the DNS protocol itself lacks a strong cache expiration guarantee when authoritative infrastructure changes.

Windows shops that rely on the built-in Windows DNS Server are not directly affected by this CVE, but they should review their caching behavior if they forward to Unbound instances. Microsoft’s DNS Server has had its own ghost domain patches over the years, most recently addressing cache-timing issues in 2023 patches. The lesson is that any recursive resolver needs regular updates and a defense-in-depth approach that pairs short TTLs with DNSSEC and real-time threat intelligence feeds.

Next steps for Windows admins

If you’re running Unbound anywhere in your Windows infrastructure, here’s your action plan:

  1. Inventory all Unbound deployments—servers, containers, VPN appliances, and test labs.
  2. Verify the version and confirm if it falls in the 1.16.2–1.25.0 range.
  3. Apply the 1.25.1 update from NLnet Labs’ website or your approved software distribution channel.
  4. Test name resolution after the update to ensure no service disruptions.
  5. Review caching policies: lower TTLs for high-risk zones, enforce DNSSEC, and integrate with security tools that can flush caches automatically when threat intelligence feeds report a domain takedown.

For environments that can’t patch immediately, deploy the workarounds above and monitor for the availability of a Windows-specific binary update if you’re using a third-party package.

DNS security often hides in the networking layer where it’s easy to forget. But ghost domains are a stark reminder that expired doesn’t always mean dead. With CVE-2026-40622, a domain you think you’ve killed might just be hiding in a cache, waiting for the next unsuspecting user.