PowerDNS has released an important security update to fix a high-risk vulnerability in DNSdist, its DNS proxy and load balancer. This flaw could allow remote attackers to crash the service by sending specially crafted TCP connections—no login or authentication needed.
The issue, tracked as CVE-2025-30193 with a CVSS score of 7.5, affects all DNSdist versions before 1.9.10, released on May 20, 2025.
How the Attack Works
The bug occurs when DNSdist is set to accept unlimited queries over a single TCP connection. Attackers can exploit this by sending TCP traffic that uses up system resources, causing DNSdist to crash.
The problem lies in how the software handles TCP queries by default—it doesn’t limit them. Each new TCP connection uses a file descriptor, which attackers can overload if no query limit is set (for example, if setMaxTCPQueriesPerConnection isn’t configured).
Who’s at Risk?
- Users running DNSdist versions before 1.9.10
- Systems where DNSdist is exposed to the internet
- Configurations allowing unlimited TCP queries per connection
The vulnerability is especially serious because attackers don’t need to log in—they can target DNSdist servers remotely without any authentication.
DNSdist normally acts as a DNS traffic manager, helping balance speed and security. But in affected versions, attackers can abuse how it handles TCP connections.
The flaw lies in how DNSdist allows multiple queries over a single TCP connection. Without limits in place, this can be exploited to overload the system.
By default, DNSdist supports up to 10 TCP worker threads and thousands of queued connections (1,000 on most systems, up to 10,000 on Linux). If not properly configured, this capacity becomes a weak point that attackers can use to crash the service.
Mitigation and Recommendations
PowerDNS urges all users to upgrade to DNSdist 1.9.10 as soon as possible to fix the vulnerability. If patching isn’t immediately possible, admins can apply a quick fix by setting a limit on how many queries are allowed per TCP connection.
PowerDNS recommends a value of 50, which they confirm does not impact performance.
This limit helps block attackers from overloading the system and causing crashes.
The 1.9.10 update also includes other key improvements:
- Better source address handling on FreeBSD
- Limits on proxy protocol TCP connections
- Fixes for cache lookups with unavailable TCP-only backends
- A memory corruption fix in the getAddressInfo function
Security experts advise reviewing all DNSdist settings, especially how TCP connections are managed. If your organization relies on DNSdist, applying this update should be a top priority to protect your DNS infrastructure.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
![Nifty[.]com Infrastructure Exploited in Phishing Attack](https://firsthackersnews.com/wp-content/uploads/2023/10/Phishing-Attacks_-Recognize-and-Avoid-Email-Phishing-1-500x383.jpg)
Leave A Comment