TsuNAME vulnerability and PowerDNS Recursor

May 10, 2021

Recently, the TsuNAME vulnerability was published. It concerns DNS recursors endlessly querying authoritative nameservers if the nameservers listed in the domains form a loop.

The researchers contacted us before publication, and we established then that while a very old version of PowerDNS recursor was found to be looping, all version of PowerDNS Recursor since 4.0 are not affected. Note that PowerDNS Recursor versions prior to 4.2 are End Of Life. For details, consult our EOL policy page.

While not looping endlessly, PowerDNS does issue more queries than strictly necessary while encountering a nameserver loop, so we decided to implement a further mitigation of the issue. This mechanism, (the non-resolving nameserver cache) will be available and enabled by default in the upcoming PowerDNS Recursor 4.5 release.

Actions for system administrators running PowerDNS Recursor

Make sure you run a supported version of PowerDNS Recursor. Currently this means version 4.2.5, 4.3.7, 4.4.3 or newer. Note that some distributions ship unsupported versions of PowerDNS recursor. This is something out of our control, but for popular distributions you can install the latest supported version from our repository.

About the author

Otto Moerbeek

Otto Moerbeek

Senior Developer at PowerDNS


Related Articles

PowerDNS Recursor 4.1.12 Released

This is a maintenance release with improvements for high-performance sites (and a wild bug fix appeared). The changelog:...

Erik Winkels 04/4/19

PowerDNS Recursor 4.1.13 Released

This is a maintenance release to optionally reduce the performance impact of memory-statistics collection and a fix in the...

Erik Winkels 05/3/19

PowerDNS Recursor 4.1.11 Released

Since Spectre / Meltdown, system calls have become more expensive. In addition, relevant versions of glibc turn out to...

Erik Winkels 02/6/19

PowerDNS Recursor 4.8.3 Released

We are proud to announce the release of PowerDNS Recursor 4.8.3 This release is a maintenance release. The most important...

Otto Moerbeek 03/3/23