[dnsdist] PowerDNS DNSdist 1.9.4 released

Remi Gacogne remi.gacogne at powerdns.com
Mon May 13 10:02:08 UTC 2024 

Hello!

We released PowerDNS DNSdist 1.9.4 today. This release fixes 
CVE-2024-25581, a denial of service security issue affecting versions 
1.9.0, 1.9.1, 1.9.2 and 1.9.3 only. Earlier versions are not affected.

When incoming DNS over HTTPS support is enabled using the nghttp2 
provider, and queries are routed to a tcp-only or DNS over TLS backend, 
an attacker can trigger an assertion failure in DNSdist by sending a 
request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing 
the process to stop and thus leading to a Denial of Service.

DNS over HTTPS is not enabled by default, and backends are using plain 
DNS (Do53) by default.

Two work-arounds are available:
- refuse incoming XFR requests via a DNSdist rule: 
addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), 
RCodeAction(DNSRCode.REFUSED))
- switch to the legacy h2o provider by setting library='h2o' in the 
addDOHLocal directive

We would like to thank Daniel Stirnimann from Switch for finding and 
subsequently reporting this issue.

This release also includes a few other fixes:
- Fix DNS over plain HTTP broken by reloadAllCertificates()
- Fix a crash in incoming DoH with nghttp2 when the incoming query is 
forwarded to the backend over TCP and the response comes back 
immediately. This issue was independently reported by Daniel Stirnimann 
from Switch and Stéphane Bortzmeyer, many thanks to them.
- Fix "C++ One Definition Rule" warnings in XSK

Please see the DNSdist website [1] for the more complete changelog [2] 
and the current documentation. The upgrade guide is also available there 
[3].

Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [4].

The release tarball [5] and its signature [6] are available on the 
downloads website, and packages for several distributions are available 
from our repository [7].

[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-1.9.4
[3]: https://dnsdist.org/upgrade_guide.html
[4]: https://github.com/PowerDNS/pdns/issues/new/choose
[5]:
https://downloads.powerdns.com/releases/dnsdist-1.9.4.tar.bz2
[6]:
https://downloads.powerdns.com/releases/dnsdist-1.9.4.tar.bz2.sig
[7]: https://repo.powerdns.com

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20240513/db7703a9/attachment.sig>

More information about the dnsdist mailing list