[Pdns-announce] Workaround for PowerDNS Security Advisory 2014-02
bert.hubert at netherlabs.nl
Wed Dec 10 12:02:21 UTC 2014
We're talking to many impacted PowerDNS users today. No matter what version
of the PowerDNS Recursor you run, if you have any problems with
ezdns/tracker.istole.it/ezrss/eztv domains today, we recommend the
'nullzoning' from below.
On Tue, Dec 09, 2014 at 03:31:35PM +0100, bert hubert wrote:
> Hi everybody,
> From PowerDNS users we have heard of problems caused by various domain names
> related to PowerDNS Security Advisory 2014-02 (CVE-2014-8601),
> If you are not yet in a position to upgrade to 3.6.2, or even if you have
> upgraded and traffic for these domains is causing CPU spikes anyhow, we
> recommend the following configuration line as a workaround:
> And this file 'nullzone':
> @ 3600 IN SOA ns hostmaster 2013041204 9000 450 604800 450
> @ 3600 IN NS ns1
> ns1 3600 IN A 127.0.0.1
> You might need to add a path to nullzone for this to work reliably.
> This functions pretty well for us in testing. It will kill some domains that
> currently don't work anyhow, but relax your CPU a lot if you are under
> You can update auth-zones using 'rec_control reload-zones' at runtime
> without restarting the recursor, which will discover new zones to be blocked
> or no no longer blocked.
> Again, if you have any questions, please either contact us on our mailing
> lists, or privately via powerdns.support at powerdns.com (should you wish to
> make use of our SLA-backed support program).
> PowerDNS Website: http://www.powerdns.com/
> Contact us by phone on +31-15-7850372
More information about the Pdns-announce