Security Update: PowerDNS Recursor 3.6.1

Hi everybody,

We regret that we have to announce a PowerDNS Recursor security release:

Issue:    A specific sequence of packets can crash PowerDNS Recursor 3.6.0 remotely
CVE:      CVE-2014-3614
Affected: All deployments of PowerDNS Recursor 3.6.0 
Not Affected: 
          PowerDNS Authoritative Server, PowerDNS Recursor versions other than 3.6.0 
          1) Only users from netmasks specified in 'allow-from' can cause the crash 
          2) add automated restarting
          Upgrade to 3.6.1, or apply our minimal patch and recompile
          Distributions shipping 3.6.0 have been notified and will be providing updates very soon

Recently, we’ve discovered that PowerDNS Recursor 3.6.0 (but NOT earlier) can crash when exposed to a specific sequence of malformed packets. This sequence happened spontaneously with one of our largest deployments, and the packets did not appear to have a malicious origin.

Yet, this crash can be triggered remotely, leading to a denial of service attack. There appears to be no way to use this crash for system compromise or stack overflow.

PowerDNS Recursor 3.6.1 packages and sources are available from

In addition, if you want to apply a minimal fix, it can be found on:

Finally, distributions that ship PowerDNS Recursor 3.6.0 have been notified and will be providing updated packages soon.

As for workarounds, only clients in allow-from are able to trigger the crash, so this should be limited to your userbase. Secondly,
can be used to enable Upstart and Systemd to restart the PowerDNS Recursor in case of a crash.

3.6.1 release notes:

In addition to various fixes related to this potential crash, 3.6.1 fixes a few minor issues and adds a debugging feature:

  • We could not encode IPv6 AAAA records that mapped to IPv4 addresses in some cases (:ffff. Fixed in commit c90fcbd , closing ticket 1663.
  • Improve systemd startup timing with respect to network availability (commit cf86c6a), thanks to Morten Stevens.
  • Realtime telemetry can now be enabled at runtime, for example with ‘rec_control carbon-server ourname1234’. This ties in to our existing carbon-server and carbon-ourname settings, but now at runtime. This specific invocation will make your stats appear automatically on our public telemetry server.

We want to thank the dedicated PowerDNS users that spent months investigating the rare crashes they observed. Without such an engaged community, we would never be able to chase down issues like these.

If you need any help with upgrading, please contact us either on the mailing lists or via our website or phone.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s