TsuNAME vulnerability and PowerDNS Recursor

May 10, 2021

Recently, the TsuNAME vulnerability was published. It concerns DNS recursors endlessly querying authoritative nameservers if the nameservers listed in the domains form a loop.

The researchers contacted us before publication, and we established then that while a very old version of PowerDNS recursor was found to be looping, all version of PowerDNS Recursor since 4.0 are not affected. Note that PowerDNS Recursor versions prior to 4.2 are End Of Life. For details, consult our EOL policy page.

While not looping endlessly, PowerDNS does issue more queries than strictly necessary while encountering a nameserver loop, so we decided to implement a further mitigation of the issue. This mechanism, (the non-resolving nameserver cache) will be available and enabled by default in the upcoming PowerDNS Recursor 4.5 release.

Actions for system administrators running PowerDNS Recursor

Make sure you run a supported version of PowerDNS Recursor. Currently this means version 4.2.5, 4.3.7, 4.4.3 or newer. Note that some distributions ship unsupported versions of PowerDNS recursor. This is something out of our control, but for popular distributions you can install the latest supported version from our repository.

About the author

Otto Moerbeek

Otto Moerbeek

Senior Developer at PowerDNS

Categories

Related Articles

PowerDNS Recursor 5.1.0 Released

We are proud to announce the release of PowerDNS Recursor 5.1.0!

Otto Moerbeek Jul 10, 2024

PowerDNS Recursor 4.9.7 and 5.0.7 Released

Today we have released PowerDNS Recursor 4.9.7 and 5.0.7. These releases are maintenance releases that fix a few bugs. The...

Otto Moerbeek Jul 3, 2024

PowerDNS Recursor 5.1.0-rc1 Released

We are proud to announce the first release candidate of PowerDNS Recursor 5.1.0!

Otto Moerbeek Jun 25, 2024

PowerDNS Recursor 5.1.0-beta1 Released

We are proud to announce the first beta release of PowerDNS Recursor 5.1.0!

Otto Moerbeek Jun 6, 2024