PowerDNS DNSdist Vulnerability Let Attackers Cause Denial of Service Condition

A high-severity vulnerability (CVE-2025-30194) in PowerDNS DNSdist, a widely used DNS load balancer and security tool, enables remote attackers to trigger denial-of-service (DoS) conditions by exploiting flaws in its DNS-over-HTTPS (DoH) implementation. 

The vulnerability, disclosed in PowerDNS Security Advisory, affects DNSdist versions 1.9.0 through 1.9.8 when configured to use the nghttp2 library for DoH processing.

Successful exploitation crashes the DNSdist service via a double-free memory corruption event, disrupting DNS resolution for dependent systems.

High-Severity DoS in DNSdist via nghttp2 DoH

The vulnerability stems from improper memory management when handling maliciously crafted DoH exchanges. 

Attackers exploiting this flaw send specially structured HTTP/2 requests that cause DNSdist to attempt freeing the same memory region twice-a critical error classified as CWE-416 (Use After Free). 

This triggers a segmentation fault, terminating the DNSdist process entirely. The attack requires no authentication and can be executed remotely over the network, earning it a CVSS v3.1 score of 7.5.

Notably, the issue only manifests in configurations using the nghttp2 provider for incoming DoH traffic, a default setting since DNSdist 1.9.0. 

Systems relying on the legacy h2o library or earlier DNSdist versions remain unaffected. 

PowerDNS engineers traced the root cause to an edge-case interaction between nghttp2’s request handling and DNSdist’s internal resource management logic, exacerbated by certain HTTP/2 frame sequences.

With DNSdist deployed in critical infrastructure roles-including recursive resolver farms, authoritative DNS clusters, and DDoS-protected networks-this vulnerability poses significant operational risks. 

An unpatched instance could suffer prolonged outages, as restarting the crashed service provides only temporary relief until the next attack

The discovery of this vulnerability is credited to Charles Howes, who brought the issue to the attention of PowerDNS. 

The swift response from PowerDNS in releasing a fixed version demonstrates the importance of community involvement in maintaining the security of critical infrastructure software.

Workaround

To mitigate this vulnerability, users are advised to upgrade to the patched version 1.9.9 of DNSdist. 

For those unable to upgrade immediately, a temporary workaround is to switch to the h2o provider until the update can be implemented. 

This ensures that DoH services remain operational while preventing exploitation of the vulnerability. The PowerDNS DNSdist vulnerability highlights the importance of keeping software up to date, especially for critical infrastructure components like DNS services. 

As the use of DoH continues to grow, ensuring the security of these services is paramount to prevent disruptions and maintain network integrity. 

Users are encouraged to apply the patch or implement the workaround to protect against potential attacks.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post PowerDNS DNSdist Vulnerability Let Attackers Cause Denial of Service Condition appeared first on Cyber Security News.