[Pdns-users] PowerDNS Security Advisory 2025-05 for DNSdist: Denial of service via crafted DoH exchange

Remi Gacogne remi.gacogne at powerdns.com
Thu Sep 18 09:17:11 UTC 2025


Hello!

Today we have released PowerDNS DNSdist 1.9.11 and 2.0.1. These releases 
fix PowerDNS Security Advisory 2025-05 for DNSdist, a denial of service 
via crafted DoH exchange.
While working on adding mitigations against the MadeYouReset 
(CVE-2025-8671) attack, we noticed a potential denial of service in our 
DNS over HTTPS implementation when using the nghttp2 provider: an 
attacker might be able to cause a denial of service by crafting a DoH 
exchange that triggers an unbounded I/O read loop, causing an unexpected 
consumption of CPU resources. We assigned CVE-2025-30187 to this issue. 
The offending code was introduced in DNSdist 1.9.0-alpha1 so previous 
versions are not affected.

In addition to fixing this issue, the 1.9.11 and 2.0.1 releases add 
several mitigations against the MadeYouReset (CVE-2025-8671) attack. Our 
packages also fix several security issues that have been discovered in 
Cloudflare's Quiche implementation for DoQ and DoH3 (CVE-2025-4820, 
CVE-2025-4821, CVE-2025-7054).

The 2.0.1 release also contains several bug fixes and performance 
improvements.

Please see the DNSdist website [1] for the more complete changelogs 
[2][3] and the current documentation. The upgrade guide is also 
available there [4].

Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [5].

The release tarballs [6][8] and their signatures [7][9] are available on 
the downloads website, and packages for several distributions are 
available from our repository [10].

[1]: https://dnsdist.org
[2]: https://dnsdist.org/changelog.html#change-1.9.11
[3]: https://dnsdist.org/changelog.html#change-2.0.1
[4]: https://dnsdist.org/upgrade_guide.html
[5]: https://github.com/PowerDNS/pdns/issues/new/choose
[6]:
https://downloads.powerdns.com/releases/dnsdist-1.9.11.tar.bz2
[7]:
https://downloads.powerdns.com/releases/dnsdist-1.9.11.tar.bz2.sig
[8]:
https://downloads.powerdns.com/releases/dnsdist-2.0.1.tar.xz
[9]:
https://downloads.powerdns.com/releases/dnsdist-2.0.1.tar.xz.sig
[10]: https://repo.powerdns.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20250918/10250c03/attachment.sig>


More information about the Pdns-users mailing list