Ddos 
The PowerDNS team has issued a high-severity security advisory—CVE-2025-30194—regarding a newly discovered denial-of-service (DoS) vulnerability in DNSdist, the company’s DNS load balancer. The flaw affects versions 1.9.0 through 1.9.8 when configured with the nghttp2 provider for DNS over HTTPS (DoH), and it can be triggered by a maliciously crafted DoH exchange.
The vulnerability carries a CVSS score of 7.5, categorized as high severity. The issue is rooted in a CWE-416: Use After Free condition, where improper memory management can lead to a double-free error, crashing the DNSdist service and causing a denial of service.
“When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist,” PowerDNS explained in the advisory.
While there is no risk of system compromise or code execution, the exploit can remotely crash DNSdist, disrupting DNS resolution services. This could lead to outages for applications and services that rely on DNSdist for query forwarding and filtering, particularly in high-availability and enterprise-grade environments.
The attack requires no privileges or user interaction, and is exploitable over the network, making it a concerning issue for publicly exposed DoH endpoints.
The vulnerability affects:
- DNSdist versions 1.9.0 to 1.9.8
It does not affect:
- Versions before 1.9.0
- Version 1.9.9, where the issue has been patched
Administrators are strongly advised to upgrade to version 1.9.9 to mitigate the risk. For systems that cannot be immediately updated, PowerDNS recommends a temporary workaround: “Switch to the h2o provider until DNSdist has been upgraded to a fixed version.”