We released PowerDNS DNSdist 1.9.10 today, fixing several bugs including a security issue tracked as CVE-2025-30193 where a remote, unauthenticated attacker can cause a denial of service via a crafted TCP connection. The issue was reported to us via our public IRC channel so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible.
While we advise upgrading to a fixed version, a work-around is to temporarily restrict the number of queries that DNSdist is willing to accept over a single incoming TCP connection, via the setMaxTCPQueriesPerConnection directive. Setting it to 50 is a safe choice that does not impact performance in our tests.
Other fixes include:
On FreeBSD, only pass source addresses on sockets bound to ANY
Limit number of proxy protocol-enabled outgoing TCP connections
Fix cache lookup for unavailable TCP-only backends
Fix memory corruption when using getAddressInfo
Only set the proxy protocol payload size when actually added
Please see the DNSdist website for the changelog and the current documentation.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The release tarball and its signature are available on the downloads website, and packages for several distributions are available from our repository.