[Pdns-users] PowerDNS DNSdist 1.9.4 released
Remi Gacogne
remi.gacogne at powerdns.com
Mon May 13 10:02:08 UTC 2024
Hello!
We released PowerDNS DNSdist 1.9.4 today. This release fixes
CVE-2024-25581, a denial of service security issue affecting versions
1.9.0, 1.9.1, 1.9.2 and 1.9.3 only. Earlier versions are not affected.
When incoming DNS over HTTPS support is enabled using the nghttp2
provider, and queries are routed to a tcp-only or DNS over TLS backend,
an attacker can trigger an assertion failure in DNSdist by sending a
request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing
the process to stop and thus leading to a Denial of Service.
DNS over HTTPS is not enabled by default, and backends are using plain
DNS (Do53) by default.
Two work-arounds are available:
- refuse incoming XFR requests via a DNSdist rule:
addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}),
RCodeAction(DNSRCode.REFUSED))
- switch to the legacy h2o provider by setting library='h2o' in the
addDOHLocal directive
We would like to thank Daniel Stirnimann from Switch for finding and
subsequently reporting this issue.
This release also includes a few other fixes:
- Fix DNS over plain HTTP broken by reloadAllCertificates()
- Fix a crash in incoming DoH with nghttp2 when the incoming query is
forwarded to the backend over TCP and the response comes back
immediately. This issue was independently reported by Daniel Stirnimann
from Switch and Stéphane Bortzmeyer, many thanks to them.
- Fix "C++ One Definition Rule" warnings in XSK
Please see the DNSdist website [1] for the more complete changelog [2]
and the current documentation. The upgrade guide is also available there
[3].
Please send us all feedback and issues you might have via the mailing
list, or in case of a bug, via GitHub [4].
The release tarball [5] and its signature [6] are available on the
downloads website, and packages for several distributions are available
from our repository [7].
[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-1.9.4
[3]: https://dnsdist.org/upgrade_guide.html
[4]: https://github.com/PowerDNS/pdns/issues/new/choose
[5]:
https://downloads.powerdns.com/releases/dnsdist-1.9.4.tar.bz2
[6]:
https://downloads.powerdns.com/releases/dnsdist-1.9.4.tar.bz2.sig
[7]: https://repo.powerdns.com
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20240513/db7703a9/attachment.sig>
More information about the Pdns-users
mailing list