PowerDNS has released a critical update to address a high-severity vulnerability in its DNS proxy and load balancer, DNSdist, that could allow unauthenticated attackers to cause service disruptions through specially crafted TCP connections. 

The vulnerability, tracked as CVE-2025-30193 with a CVSS score of 7.5, affects all DNSdist versions before 1.9.10 released on May 20, 2025.

The security flaw enables remote attackers to trigger a Denial-of-Service (DoS) condition by exploiting how DNSdist manages TCP connections. 

DNSdist DoS Vulnerability

The vulnerability occurs explicitly when DNSdist is configured to allow an unlimited number of queries on a single incoming TCP connection from a client.

“In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist,” explains the security advisory.

When examining the technical aspects, the issue lies in the dnsdist-tcp.cc module, where the default configuration doesn’t implement proper limits on TCP query handling. 

Each TCP connection creates a file descriptor, making the system vulnerable to resource exhaustion attacks when malicious connection attempts are made.

Risk FactorsDetailsAffected ProductsPowerDNS DNSdist versions prior to 1.9.10ImpactDenial-of-Service (DoS) via stack exhaustion and DNSdist crashExploit Prerequisites– Network-accessible DNSdist instance- No authentication required- Unlimited TCP queries per connection (setMaxTCPQueriesPerConnection not configured)CVSS 3.1 Score7.5 (High)

Technical Exploit Mechanism

The vulnerability is particularly dangerous because it doesn’t require authentication, allowing remote attackers to target DNSdist instances directly. 

DNSdist typically functions as a traffic director for DNS queries, ensuring optimal speed and security, but in vulnerable versions, attackers can abuse the TCP handling mechanism.

The exploit leverages how DNSdist processes multiple queries over persistent TCP connections. Without proper limitations, attackers can exploit this behavior using configurations like:

In standard deployments, DNSdist can handle up to 10 TCP worker threads (the default) with potentially thousands of queued connections (1,000 default, 10,000 on Linux). 

This significant capacity becomes a vulnerability when not properly limited against malicious traffic.

Mitigations

PowerDNS strongly recommends upgrading to DNSdist 1.9.10 immediately. For environments where immediate patching isn’t feasible, administrators can implement a temporary workaround by setting:

PowerDNS states, “Setting it to 50 is a safe choice that does not impact performance in our tests”. 

This directive effectively limits the number of queries that DNSdist will accept over a single TCP connection, preventing resource exhaustion.

The 1.9.10 update also includes several other important fixes:

Improved source address handling on FreeBSD systems bound to ANY

Limited number of proxy protocol-enabled outgoing TCP connections

Fixed cache lookups for unavailable TCP-only backends

Resolved memory corruption in the getAddressInfo function

Security experts recommend that DNS administrators immediately audit their DNSdist configurations, focusing mainly on TCP connection parameters. 

Organizations using DNSdist in production environments should prioritize this update to maintain the stability and security of their DNS infrastructure.

Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free