PowerDNS Vulnerability Let Attacker Trigger DoS Attack Via Malicious TCP connection

PowerDNS has released a critical security update to address a vulnerability in its DNSdist load balancer that could allow remote attackers to trigger denial of service attacks without authentication.

The issue, tracked as CVE-2025-30193, was patched in version 1.9.10 released on May 20, 2025.

Security researchers warn that organizations using DNSdist should apply this update immediately to prevent potential service disruptions, as the vulnerability could be exploited by crafting specific TCP connections that overwhelm the service.

The recently discovered vulnerability in PowerDNS DNSdist affects all versions prior to 1.9.10 and presents a significant security risk to DNS infrastructure.

The flaw allows remote attackers without authentication credentials to cause service disruptions by exploiting how DNSdist handles certain TCP connections.

According to security experts, the vulnerability was initially reported through PowerDNS’s public IRC channel before the development team confirmed its security implications.

Technical analysis shows the vulnerability stems from improper handling of TCP connection states, which malicious actors can exploit to exhaust server resources.

Unlike many DNS-related vulnerabilities that target UDP traffic, this attack specifically leverages TCP connection handling mechanisms.

The issue is particularly concerning for organizations using DNSdist as a front-end load balancer for their DNS infrastructure, as successful exploitation could render DNS services unavailable across entire networks.

Mitigation Strategies and Workarounds

PowerDNS strongly recommends users upgrade to version 1.9.10 immediately to address the vulnerability.

For organizations unable to upgrade right away, the company has outlined a temporary workaround to mitigate the risk.

Administrators can implement the setMaxTCPQueriesPerConnection directive to limit the number of queries accepted over a single incoming TCP connection.

“Setting it to 50 is a safe choice that does not impact performance in our tests,” notes PowerDNS in their advisory.

This configuration change effectively prevents attackers from exploiting the vulnerability while maintaining normal DNS operations.

Security researchers emphasize that while this workaround provides temporary protection, it should not be considered a permanent solution, and upgrading remains the recommended course of action.

Security Improvements and Availability

The DNSdist 1.9.10 release includes several other important security fixes beyond the CVE-2025-30193 vulnerability.

Notable improvements include limiting proxy protocol-enabled outgoing TCP connections, fixing memory corruption issues when using getAddressInfo, improving cache lookup behavior for unavailable TCP-only backends, and enhancing socket handling on FreeBSD systems to only pass source addresses on sockets bound to ANY.

The updated software is now available through multiple distribution channels.

Users can download release tarballs and signatures from the official PowerDNS downloads website.

For those using supported Linux distributions, package repositories have been updated with the patched version.

PowerDNS encourages users to report any issues encountered with the update through their mailing list or GitHub page.

DNS administrators should prioritize this update as researchers warn that exploits targeting this vulnerability could emerge quickly given the public disclosure and the relative simplicity of triggering the denial of service condition.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!