Update Released for PowerDNS to Thwart Denial of Service Attack (CVE-2024-25581)

PowerDNS, a widely used open-source DNS software provider, has issued a security advisory regarding a vulnerability (CVE-2024-25581) in its DNSdist software versions 1.9.0 through 1.9.3. The vulnerability allows an attacker to trigger a denial of service (DoS) condition, potentially disrupting DNS resolution for large-scale service providers, including internet service providers (ISPs) and hosting providers.

PowerDNS is renowned for its secure open-source and commercial DNS solutions, catering primarily to broadband operators and hosting services. Its DNSdist product is specifically designed to enhance the performance and security of internet services, shielding users from DDoS attacks and malware, while maintaining high service standards.

The CVE-2024-25581 (CVSS 7.5) vulnerability, identified in DNSdist’s handling of DNS over HTTPS (DoH) requests, specifically affects setups using the nghttp2 provider for incoming DoH support. When DNSdist is configured to route queries to a TCP-only or DNS over TLS backend, an attacker can exploit this setup by requesting a zone transfer (either AXFR or IXFR) over DoH. This request triggers an assertion failure that leads to the abrupt termination of the DNSdist process, effectively causing a DoS condition.

Importantly, DNS over HTTPS is not a default setting, and most backends typically use plain DNS (Do53), which limits the exposure to this vulnerability under standard configurations.

To address this critical issue, PowerDNS has released DNSdist version 1.9.4, which contains the necessary fixes to mitigate the vulnerability. For users who are currently unable to upgrade, PowerDNS has outlined two immediate workarounds:

• Refusing XFR Requests: Users can configure DNSdist to refuse incoming XFR requests by implementing a specific rule: addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))
• Switching Providers: Alternatively, users can switch to the legacy h2o provider by modifying the addDOHLocal directive to use library='h2o'.

If upgrading is not immediately possible, apply the patch for version 1.9.3.