PowerDNS has issued a critical security update to fix a high-severity vulnerability in DNSdist, its DNS proxy and load balancer. The flaw could allow unauthenticated attackers to crash DNSdist and disrupt services using specially crafted TCP connections.
The vulnerability is identified as CVE-2025-30193 and carries a CVSS 3.1 score of 7.5. It affects all versions of DNSdist released before version 1.9.10, which became available on May 20, 2025.
How the Vulnerability Works
The issue stems from how DNSdist handles TCP connections when configured to allow unlimited queries per connection. Attackers can exploit this setting to exhaust system resources, causing the service to crash.
According to the official advisory, the flaw is found in the dnsdist-tcp.cc module, where default settings do not limit how many queries can be made on a single TCP connection. Each connection uses a file descriptor, which can be overwhelmed during an attack.
DNSdist is designed to manage DNS traffic efficiently, but without proper safeguards in place, attackers can take advantage of its ability to handle persistent TCP sessions.
Vulnerability Summary
| Risk Factors | Details |
|---|---|
| Affected Products | PowerDNS DNSdist versions before 1.9.10 |
| Impact | Denial-of-Service (DoS) via TCP stack exhaustion and crash |
| Exploit Conditions | No authentication, unlimited TCP queries per connection, network access to DNSdist |
| CVSS 3.1 Score | 7.5 (High) |
Why It’s Dangerous
This vulnerability is especially dangerous because it does not require authentication. Any attacker with network access can exploit it to crash DNSdist. The problem is magnified in default configurations that allow many queued connections and multiple TCP threads.
By default, DNSdist can use up to 10 TCP worker threads and queue thousands of connections—1,000 by default and up to 10,000 on Linux systems. Without proper limits, these settings become a target for denial-of-service attacks.
Recommended Fixes and Workarounds
PowerDNS recommends all users upgrade to DNSdist 1.9.10 immediately. The new version fixes the vulnerability and includes several other improvements:
- Better source address handling on FreeBSD with ANY binding
- Limits on proxy protocol-enabled outgoing TCP connections
- Fixes for TCP-only backend cache lookups
- Resolved memory corruption in
getAddressInfo
If upgrading is not possible right away, administrators can apply a temporary fix by setting:
setMaxTCPQueriesPerConnection(50)PowerDNS notes that limiting to 50 queries per connection is safe and does not impact performance in their tests.
Security Best Practices
Experts urge DNS administrators to audit their DNSdist setups, especially those exposed to the internet. Particular attention should be given to TCP query settings and connection limits.
Organizations using DNSdist in production environments should prioritize this update to ensure the stability and security of their DNS infrastructure.
