PowerDNS & CVE-2015-7547: possible mitigation

Feb 17, 2016

Since yesterday we have been following and studying CVE-2015-7547. More about which here.

In short, this is a vulnerability not in PowerDNS products but in the Linux C library. This vulnerability could be exploited if it would be possible to relay specifically crafted records to Linux clients.

It appears the PowerDNS Recursor out of the box makes it hard to transport such specifically crafted records.

However, at this point there is still uncertainty over how CVE-2015-7547 could be exploited exactly. It may be that there are still ways to get the PowerDNS Recursor to relay content that could exploit vulnerable clients.

(we have tweeted earlier that we thought this was not possible. It now appears not enough is known about CVE-2015-7547 to be sure).

To be on the safe side, we have published a Lua script that puts in place further restrictions in the recursor that should help block CVE-2015-7547, as far as we currently understand it.

We urge everyone to patch their Linux C libraries of course. But as long as this is in progress or not yet possible, this script may help you protect vulnerable systems:

CVE-2015-7547 mitigation script

In response to CVE-2015-7547, we are developing this Lua script which should protect your users, at a slight risk of disrupting specific queries which naturally deliver very large responses.

Run the script below by setting: lua-dns-script=stop-cve-2015-7547.lua – or use rec_control reload-lua-script stop-cve-2015-7547.lua at runtime.

Please continue to check this page for updates.

function postresolve ( remoteip, domain, qtype, records, origrcode )
        local len=0
        for key,val in ipairs(records)
                len = len + #val.qname + #val.content + 16
        if(len < 2048) then
                return -1,{}
                -- pdnslog("Protected "..remoteip.." against an overly large response of "..len.." bytes")
                return -2,{}



NOTE: We will keep updating the version of the script on GitHub and on our blog. Please check back for updates.

Please let us know if you have further questions!

About the author

Bert Hubert

Bert Hubert

Principal, PowerDNS


Related Articles

PowerDNS Security Advisory 2014-02

PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service Hi everybody,...

Bert Hubert 12/2/14

PowerDNS Security Status Polling

PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all...

Bert Hubert 10/4/14

xs.powerdns.com: PowerDNS Development & Community Server @...

Hi everybody, Over the past few months, the PowerDNS Wiki and Subversion servers had a hard time and were no longer able to...

Bert Hubert 11/1/09

PowerDNS Recursor 4.0.8 Released

Today we announce the release of the PowerDNS Recursor 4.0.8 which contains a fix for the following security advisory:...

Erik Winkels 12/2/17