Today we have released PowerDNS DNSdist 1.9.11 and 2.0.1. These releases fix PowerDNS Security Advisory 2025-05 for DNSdist, a denial of service via crafted DoH exchange.
While working on adding mitigations against the MadeYouReset (CVE-2025-8671) attack, we noticed a potential denial of service in our DNS over HTTPS implementation when using the nghttp2 provider: an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. We assigned CVE-2025-30187 to this issue. The offending code was introduced in DNSdist 1.9.0-alpha1 so previous versions are not affected.
In addition to fixing this issue, the 1.9.11 and 2.0.1 releases add several mitigations against the MadeYouReset (CVE-2025-8671) attack. Our packages also fix several security issues that have been discovered in Cloudflare's Quiche implementation for DoQ and DoH3 (CVE-2025-4820, CVE-2025-4821, CVE-2025-7054).
The 2.0.1 release also contains several bug fixes and performance improvements.
Please see the DNSdist website for the changelogs (1.9.11, 2.0.1) and the current documentation.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The release tarballs (1.9.11, 2.0.1) and their signatures (1.9.11, 2.0.1) are available on the downloads website, and packages for several distributions are available from our repository.