Security Advisories

All security advisories for the PowerDNS Recursor are listed here.

• PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
• PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor
• PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
• PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
• PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
• PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation
• PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor
• PowerDNS Security Advisory 2020-07: Cache pollution
• PowerDNS Security Advisory 2020-04: Access restriction bypass
• PowerDNS Security Advisory 2020-03: Information disclosure
• PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures
• PowerDNS Security Advisory 2020-01: Denial of Service
• PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
• PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain configurations
• PowerDNS Security Advisory 2018-09: Crafted query can cause a denial of service
• PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service
• PowerDNS Security Advisory 2018-06: Packet cache pollution via crafted query
• PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service
• PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures
• PowerDNS Security Advisory 2017-08: Crafted CNAME answer can cause a denial of service
• PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing
• PowerDNS Security Advisory 2017-06: Configuration file injection in the API
• PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface
• PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures
• PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures
• PowerDNS Security Advisory 2016-02: Crafted queries can cause abnormal CPU usage
• PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes
• PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
•  PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
• PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
• PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
• PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to ‘spoof’ PowerDNS Recursor
• PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
• PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable

Older security advisories

Version 3.0 of the PowerDNS recursor contains a denial of service bug which can be exploited remotely. This bug, which we believe to only lead to a crash, has been fixed in 3.0.1. There are no guarantees however, so an upgrade from 3.0 is highly recommended.

All versions of PowerDNS before 2.9.21.1 do not respond to certain queries. This in itself is not a problem, but since the discovery by Dan Kaminsky of a new spoofing technique, this silence for queries PowerDNS considers invalid, within a valid domain, allows attackers more chances to feed other resolvers bad data.

All versions of PowerDNS before 2.9.18 contain the following two bugs, which only apply to installations running with the LDAP backend, or installations providing recursion to a limited range of IP addresses. If any of these apply to you, an upgrade is highly advised:

• The LDAP backend did not properly escape all queries, allowing it to fail and not answer questions. We have not investigated further risks involved, but we advise LDAP users to update as quickly as possible (Norbert Sendetzky, Jan de Groot)
• Questions from clients denied recursion could blank out answers to clients who are allowed recursion services, temporarily. Reported by Wilco Baan. This would’ve made it possible for outsiders to blank out a domain temporarily to your users. Luckily PowerDNS would send out SERVFAIL or Refused, and not a denial of a domain’s existence.

All versions of PowerDNS before 2.9.17 are known to suffer from remote denial of service problems which can disrupt operation. Please upgrade to 2.9.17 as this page will only contain detailed security information from 2.9.17 onwards.