Since yesterday we have been following and studying CVE-2015-7547. More about which here.
In short, this is a vulnerability not in PowerDNS products but in the Linux C library. This vulnerability could be exploited if it would be possible to relay specifically crafted records to Linux clients.
It appears the PowerDNS Recursor out of the box makes it hard to transport such specifically crafted records.
However, at this point there is still uncertainty over how CVE-2015-7547 could be exploited exactly. It may be that there are still ways to get the PowerDNS Recursor to relay content that could exploit vulnerable clients.
(we have tweeted earlier that we thought this was not possible. It now appears not enough is known about CVE-2015-7547 to be sure).
To be on the safe side, we have published a Lua script that puts in place further restrictions in the recursor that should help block CVE-2015-7547, as far as we currently understand it.
We urge everyone to patch their Linux C libraries of course. But as long as this is in progress or not yet possible, this script may help you protect vulnerable systems:
CVE-2015-7547 mitigation script
In response to CVE-2015-7547, we are developing this Lua script which should protect your users, at a slight risk of disrupting specific queries which naturally deliver very large responses.
Run the script below by setting: lua-dns-script=stop-cve-2015-7547.lua – or use rec_control reload-lua-script stop-cve-2015-7547.lua at runtime.
Please continue to check this page for updates.
function postresolve ( remoteip, domain, qtype, records, origrcode )
local len=0
for key,val in ipairs(records)
do
len = len + #val.qname + #val.content + 16
end
if(len < 2048) then
return -1,{}
else
-- pdnslog("Protected "..remoteip.." against an overly large response of "..len.." bytes")
return -2,{}
end
end
