PowerDNS & CVE-2015-7547: possible mitigation

Since yesterday we have been following and studying CVE-2015-7547. More about which here.

In short, this is a vulnerability not in PowerDNS products but in the Linux C library. This vulnerability could be exploited if it would be possible to relay specifically crafted records to Linux clients.

It appears the PowerDNS Recursor out of the box makes it hard to transport such specifically crafted records.

However, at this point there is still uncertainty over how CVE-2015-7547 could be exploited exactly. It may be that there are still ways to get the PowerDNS Recursor to relay content that could exploit vulnerable clients.

(we have tweeted earlier that we thought this was not possible. It now appears not enough is known about CVE-2015-7547 to be sure).

To be on the safe side, we have published a Lua script that puts in place further restrictions in the recursor that should help block CVE-2015-7547, as far as we currently understand it.

We urge everyone to patch their Linux C libraries of course. But as long as this is in progress or not yet possible, this script may help you protect vulnerable systems:

NOTE: We will keep updating the version of the script on GitHub and on our blog. Please check back for updates.

Please let us know if you have further questions!


  1. Pingback: CVE-2015-7547をDNSで何とかする方法を考えてみる | NaviPlus Engineers' Blog
  2. Pingback: StrongArm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s