Skip to content

PowerDNS DNSdist 1.9.4 released

May 13, 2024 11:59:34 AM

We released PowerDNS DNSdist 1.9.4 today. This release fixes CVE-2024-25581,  a denial of service security issue affecting versions 1.9.0, 1.9.1, 1.9.2 and 1.9.3 only. Earlier versions are not affected.

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service.

DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.

Two work-arounds are available:

  • refuse incoming XFR requests via a DNSdist rule: addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))

  • switch to the legacy h2o provider by setting library='h2o' in the addDOHLocal directive

We would like to thank Daniel Stirnimann from Switch for finding and subsequently reporting this issue.

This release also includes a few other fixes:

  • Fix DNS over plain HTTP broken by reloadAllCertificates()

  • Fix a crash in incoming DoH with nghttp2 when the incoming query is forwarded to the backend over TCP and the response comes back immediately. This issue was independently reported by Daniel Stirnimann from Switch and Stéphane Bortzmeyer, many thanks to them.

  • Fix "C++ One Definition Rule" warnings in XSK

Please see the DNSdist website for the changelog and the current documentation.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.

The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.

 

Back to overview

Related Articles