PowerDNS Recursor 4.4.5 and 4.5.5 Released

We are proud to announce the release of PowerDNS Recursor 4.4.5. and 4.5.5.

Both releases contain an improvement to work around broken authoritative servers sending replies without the “authoritative answer” (AA) bit set.

The 4.5.5 release contains a fix to an issue where an insecure domain with signatures records could be marked as bogus due to a missed zone cut and a fix to the aggressive NSEC(3) cache handling of denials of DS records.

Please refer to the change logs for the 4.4.4 and 4.5.5 releases for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarballs (4.4.5, 4.5.5) and signatures (4.4.5, 4.5.5) are available from our download server and packages for several distributions are available from our repository.

The 4.2.x release is EOL and the 4.3.x and 4.4.x releases are in critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that starting with the 4.5 release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

security advisory 2021-01 for PowerDNS Authoritative Server 4.5.0

Hello,

today we have released PowerDNS Authoritative Server 4.5.1, fixing a remotely triggered crash present in version 4.5.0. No other versions are affected.

Tarballs and signatures are available at https://downloads.powerdns.com/releases/, and a single patch is available at https://downloads.powerdns.com/patches/2021-01/. However, 4.5.1 contains no other changes.

Please find the full text of the advisory below.

PowerDNS Security Advisory 2021-01: Specific query crashes Authoritative Server

  • CVE: CVE-2021-36754
  • Date: July 26th, 2021
  • Affects: PowerDNS Authoritative version 4.5.0
  • Not affected: 4.4.x and below, 4.5.1
  • Severity: High
  • Impact: Denial of service
  • Exploit: This problem can be triggered via a specific query packet
  • Risk of system compromise: None
  • Solution: Upgrade to 4.5.1, or filter queries in dnsdist

PowerDNS Authoritative Server 4.5.0 (and the alpha/beta/rc1/rc2 prereleases that came before it) will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected.

Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)).

When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.

We would like to thank Reinier Schoof and Robin Geuze of TransIP for noticing crashes in production, immediately letting us know, and helping us figure out what was happening.

PowerDNS Authoritative Server 4.5.0

Hello!

PowerDNS Authoritative Server 4.5.0 was released today.

Version 4.5.0 mostly brings small improvements and fixes, but there are two notable new features:

  • The ‘zone cache’, which allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference. Users of backends with dynamically generated zones may want to disable this or at least read the upgrade notes extremely carefully. Many thanks to Chris Hofstaedtler for implementing this. This work by Chris was supported by RcodeZero DNS.

  • Priority ordering in the AXFR queue in PowerDNS running as a secondary. Some users with a lot of domains (>100k) sometimes found real changes waiting behind signature refreshes on Thursdays. With the new ordering, those real changes can ‘skip the line’ and get deployed on your secondaries faster. Many thanks to Robin Geuze of TransIP for implementing this.

Since 4.5.0-beta1, the zone cache is enabled by default.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.5.0-RC2

Hello!

Today we released the second, and hopefully last, Release Candidate for Authoritative Server version 4.5.0. Please try it!

Version 4.5.0 mostly brings small improvements and fixes, but there are two notable new features:

  • The ‘zone cache’, which allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference. Many thanks to Chris Hofstaedtler for implementing this.
  • Priority ordering in the AXFR queue in PowerDNS running as a secondary. Some users with a lot of domains (>100k) sometimes found real changes waiting behind signature refreshes on Thursdays. With the new ordering, those real changes can ‘skip the line’ and get deployed on your secondaries faster. Many thanks to Robin Geuze for implementing this.

Since 4.5.0-beta1, the zone cache is enabled by default.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.5.4 Released

We are proud to announce the release of PowerDNS Recursor 4.5.4. This release contains a fix to an issue where the answer to a non-existent DS query was missing a SOA record. In particular this can be a problem if PowerDNS Recursor is used as a forwarding target by a validating client.

Due to an issue with the build system PowerDNS Recursor 4.5.3 was never released publicly.

Please refer to the change log for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarball and signature are available from our download server and packages for several distributions are available from our repository.

With the earlier 4.5.1 release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

PowerDNS Authoritative Server 4.5.0-RC1

Hello!

Today we released the first Release Candidate for Authoritative Server version 4.5.0. Please try it!

Version 4.5.0 mostly brings small improvements and fixes, but there is one notable new feature: the zone cache.

The zone cache allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference.

Since 4.5.0-beta1, the zone cache is enabled by default.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Authoritative Server 4.5.0-beta1

Hello!

Today we released the first Beta version for Authoritative Server version 4.5.0.

Version 4.5.0 mostly brings small improvements and fixes, but there is one notable new feature: the zone cache.

The zone cache allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference.

In beta1, the zone cache is enabled by default.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

PowerDNS Recursor 4.4.4 and 4.5.2 Released

We are proud to announce the release of PowerDNS Recursor 4.4.4. and 4.5.2. Both releases contain mostly smaller bug fixes. For the 4.5.2 release the default value of nsec3-max-iterations has  been lowered to 150, in accordance with new guidelines and in coordination with other vendors. Furthermore, an issue affecting the “refresh almost expired” function has been fixed.

Please refer to the change logs for the 4.4.4 and 4.5.2 release for additional details.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The tarballs (4.4.4, 4.5.2) and signatures (4.4.4, 4.5.2) are available from our download server and packages for several distributions are available from our repository.

With the previous 4.5.1 release, the 4.2.x releases will be EOL and the 4.3.x and 4.4.x releases will go into critical fixes only mode. Consult the EOL policy for more details.

We would also like to announce that with this release we will stop supporting systems using 32-bit time. This includes 32-bit Linux platforms like arm6, arm7, and i386.

We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.

DNS cache snooping attack

We have been getting questions about “DNS Server Cache Snooping Remote Information Disclosure” attacks lately, mostly coming from reports generated by one very popular security scanner:

DNS Server Cache Snooping Remote Information Disclosure

Synopsis:
The remote DNS server is vulnerable to cache snooping attacks.

Description:
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set.
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more.

Note: If this is an internal DNS server not accessible to outside networks, attacks would be limited to the internal network.

This may include employees, consultants and potentially users on a guest network or WiFi connection if supported.

Risk factor:
Medium

CVSS Base Score:
5.0

CVSS2#AV:
N/AC:L/Au:N/C:P/I:N/A:N

See also:
http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Solution:
Contact the vendor of the DNS software for a fix.

So what is this about?

The idea behind this “attack” is to find out whether a given recursive DNS server has been asked to resolve a given domain name recently. This might in theory be used by an authorized user to know which domains would be worth targeting for mis-typing attacks.

It cannot, however, be used to get the whole content of the cache since one needs to know which domains to query, and of course can’t be used either to know who requested that domain.

How does this work?

It works by exploiting the fact that DNS resolvers do not perform actual resolution for every query they get, instead they all rely on one or several caches, allowing them to remember the responses they have recently received for a certain time, up to the “TTL” value of the response. So if we can determine that a given domain is in the cache, we know that it was queried at most “TTL” seconds ago.

The easiest way to determine if a recursive server has a given domain in cache is to ask: sending a DNS query with the recursion desired bit cleared (RD=0) will only return results from the resolver cache, as per RFC 1034. If information is available about the requested name and type, it is returned, otherwise an empty ‘No Error’ answer is sent.

Should the server refuse to answer these queries, it is also possible to know whether an answer comes from the cache by looking at the TTL returned by the recursive server for a RD=1 request, and comparing it to the original TTL returned by a name server authoritative for that domain. If the TTL returned by the recursor is equal to the one returned by the authoritative server, it was likely not in cache, or was cached less than a second ago. Otherwise it comes from the recursor cache.

We could also precisely measure the time taken by the server to respond, since in the absence of a cached answer the recursive server would have to contact an authoritative server over the network, likely increasing the response time by several milliseconds.

Why does the Recursion Desired feature exist in the first place?

That feature is an integral part of the DNS protocol, as described in RFC 1034, in particular for communication between a recursive server and an authoritative server, where recursion is indeed not desired. As some servers historically provided both authoritative and recursive services, it still makes sense today to be able to distinguish the client’s expectations and to advertise the server capabilities.

It should also be noted that it is extremely useful to be able to use RD=0 queries to remotely inspect the content of the cache for a given name when troubleshooting operational issues in production. The alternative would require connecting to the running recursor process using rec_control and dumping the whole cache.

Mitigations

The first method might be mitigated by refusing RD=0 queries, for example using dnsdist:

addAction(NotRule(RDRule()), RCodeAction(DNSRCode.REFUSED))

It might however break existing clients and setups, since the RD=0 behaviour has been relied on for decades. Moreover, there is no way to mitigate the second and third ones without violating fundamental DNS specifications and impacting performance.

Therefore our recommendation is to simply ignore this “issue”, since there is no clear threat-model where it is actually relevant. This is also the conclusion that the fine folks of ISC reached regarding their BIND DNS server.

PowerDNS Authoritative Server 4.5.0-alpha1

Hello!

Today we released the first Alpha version for Authoritative Server version 4.5.0.

Version 4.5.0 mostly brings small improvements and fixes, but there is one notable new feature: the zone cache.

The zone cache allows PowerDNS to keep a list of zones in memory, updated periodically. With this cache, PowerDNS can avoid hitting the database with queries for unknown domains. In some setups, and some attack scenarios, this can make a serious performance difference.

A full list of changes can be found in the changelog.

Please make sure to read the Upgrade Notes before upgrading.

With version 4.5.0, support for platforms with a time_t type smaller than 64 bits is dropped. This means that we do not build packages for Raspberry Pi OS.

The tarball (signature) is available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.