[Pdns-users] PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via crafted DoH exchange
Remi Gacogne
remi.gacogne at powerdns.com
Thu Sep 18 09:17:11 UTC 2025
Hello!
Today we have released PowerDNS DNSdist 1.9.11 and 2.0.1. These releases
fix PowerDNS Security Advisory 2025-05 for DNSdist, a denial of service
via crafted DoH exchange.
While working on adding mitigations against the MadeYouReset
(CVE-2025-8671) attack, we noticed a potential denial of service in our
DNS over HTTPS implementation when using the nghttp2 provider: an
attacker might be able to cause a denial of service by crafting a DoH
exchange that triggers an unbounded I/O read loop, causing an unexpected
consumption of CPU resources. We assigned CVE-2025-30187 to this issue.
The offending code was introduced in DNSdist 1.9.0-alpha1 so previous
versions are not affected.
In addition to fixing this issue, the 1.9.11 and 2.0.1 releases add
several mitigations against the MadeYouReset (CVE-2025-8671) attack. Our
packages also fix several security issues that have been discovered in
Cloudflare's Quiche implementation for DoQ and DoH3 (CVE-2025-4820,
CVE-2025-4821, CVE-2025-7054).
The 2.0.1 release also contains several bug fixes and performance
improvements.
Please see the DNSdist website [1] for the more complete changelogs
[2][3] and the current documentation. The upgrade guide is also
available there [4].
Please send us all feedback and issues you might have via the mailing
list, or in case of a bug, via GitHub [5].
The release tarballs [6][8] and their signatures [7][9] are available on
the downloads website, and packages for several distributions are
available from our repository [10].
[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-1.9.11
[3]: https://dnsdist.org/changelog.html#change-2.0.1
[4]: https://dnsdist.org/upgrade_guide.html
[5]: https://github.com/PowerDNS/pdns/issues/new/choose
[6]:
https://downloads.powerdns.com/releases/dnsdist-1.9.11.tar.bz2
[7]:
https://downloads.powerdns.com/releases/dnsdist-1.9.11.tar.bz2.sig
[8]:
https://downloads.powerdns.com/releases/dnsdist-2.0.1.tar.xz
[9]:
https://downloads.powerdns.com/releases/dnsdist-2.0.1.tar.xz.sig
[10]: https://repo.powerdns.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250918/10250c03/attachment.sig>
More information about the Pdns-users
mailing list