[Pdns-users] PowerDNS Security Advisory 2025-04: A Recursor configured to send out ECS enabled queries can be sensitive to spoofing attempts

Otto Moerbeek otto.moerbeek at powerdns.com
Mon Jul 21 12:04:21 UTC 2025 

   Today we have released PowerDNS Recursor 5.0.12, 5.1.6 and 5.2.4.

   These releases fix PowerDNS Security Advisory 2025-04: A Recursor
   configured to send out ECS enabled queries can be sensitive to spoofing
   attempts:
     __________________________________________________________________

  PowerDNS Security Advisory 2025-04: A Recursor configured to send out ECS
  enabled queries can be sensitive to spoofing attempts

   CVE: CVE-2025-30192
   Date: 21st July 2025
   Affects: PowerDNS Recursor up to and including 5.0.10, 5.1.4 and 5.2.2,
   but only if outgoing ECS is enabled
   Not affected: PowerDNS Recursor 5.0.12, 5.1.6 and 5.2.4 (5.0.11, 5.1.5
   and 5.2.3 were not released publicly)
   Severity: High (only if outgoing ECS is enabled)
   Impact: Cache pollution
   Exploit: This problem can be triggered by an attacker sending spoofed
   replies to an ECS enabled Recursor
   Risk of system compromise: None
   Solution: Upgrade to patched version, disable outgoing ECS (the default
   is disabled)

   An attacker spoofing answers to ECS enabled requests sent out by the
   Recursor has a chance of success higher than non-ECS enabled queries.
   The updated version include various mitigations against spoofing
   attempts of ECS enabled queries by chaining ECS enabled requests and
   enforcing stricter validation of the received answers.
   The most strict mitigation done when the new setting
   outgoing.edns_subnet_harden[1] (old style name edns-subnet-harden[2])
   is enabled.
   CVSS Score: 7.5, see
   https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/P
   R:N/UI:N/S:U/C:N/I:N/A:H&version=3.1[3]
   The remedy is: upgrade to a patched version or disable outgoing ECS
   enabled queries, which is the default.
   We would like to thanks Xiang Li of AOSP Lab Nankai University for
   bringing this issue to our attention.

   We advise all customers running ECS enabled Recursors to review the
   configuration and only send out ECS enabled queries to authoritative
   servers for which it brings a known benefit. Apart from the potential
   spoofing attack surface mitigated by the patches, enabling ECS also has
   an effect on caching efficiency. Additionally not all authoritative
   servers found on the internet do handle ECS enabled queries well.

   Please refer to the changelogs  (5.0.12[4] and 5.1.6[5] and 5.2.4[6])
   for additional details. Versions 5.0.11, 5.1.5 and 5.2.3 were never
   made available publicity.

   Please send us all feedback and issues you might have via the mailing
   list[7], or in case of a bug, via GitHub[8].

   The tarballs (5.0.12[9], 5.1.6[10], 5.2.4[11]) (with signature files
   5.0.12[12], 5.1.6[13], 5.2.4[14]) are available from our
   download server[15] and packages for several distributions are
   available from our repository[16].

   Recently we made changes to our Open Source End of Life policy. Older
   release trains are now supported for one year after the following major
   release. Consult the EOL policy[17] for more details.

   We are grateful to the PowerDNS community for the reporting of bugs,
   issues, feature requests, and especially to the submitters of fixes and
   implementations of features.

References

   1. https://docs.powerdns.com/recursor/yamlsettings.html#outgoing-edns-subnet-harden
   2. https://docs.powerdns.com/recursor/settings.html#setting-edns-subnet-harden
   3. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1
   4. https://doc.powerdns.com/recursor/changelog/5.0.html#change-5.0.12
   5. https://doc.powerdns.com/recursor/changelog/5.1.html#change-5.1.6
   6. https://doc.powerdns.com/recursor/changelog/5.2.html#change-5.2.4
   7. https://mailman.powerdns.com/mailman/listinfo/pdns-users
   8. https://github.com/PowerDNS/pdns/issues/new/choose
   9. https://downloads.powerdns.com/releases/pdns-recursor-5.0.12.tar.bz2
  10. https://downloads.powerdns.com/releases/pdns-recursor-5.1.6.tar.bz2
  11. https://downloads.powerdns.com/releases/pdns-recursor-5.2.4.tar.bz2
  12. https://downloads.powerdns.com/releases/pdns-recursor-5.0.12.tar.bz2.sig
  13. https://downloads.powerdns.com/releases/pdns-recursor-5.1.6.tar.bz2.sig
  14. https://downloads.powerdns.com/releases/pdns-recursor-5.2.4.tar.bz2.sig
  15. https://downloads.powerdns.com/releases/
  16. https://repo.powerdns.com/
  17. https://docs.powerdns.com/recursor/appendices/EOL.html


--

kind regards,
Otto Moerbeek
Senior Developer PowerDNS


Phone: +49 2761 75252 00 Fax: +49 2761 75252 30
Email: otto.moerbeek at open-xchange.com


-------------------------------------------------------------------------------------
Open-Xchange AG, Hohenzollernring 72, 50672 Cologne, District Court Cologne HRB 95366
Managing Board: Andreas Gauger, Dirk Valbert, Frank Hoberg, Stephan Martin
Chairman of the Board: Dr. Paul-Josef Patt

PowerDNS.COM BV, Koninginnegracht 5, 2514 AA Den Haag, The Netherlands
Managing Director: Robert Brandt
-------------------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250721/8df68ca0/attachment.sig>

More information about the Pdns-users mailing list