CVE-2024-25581

HIGH

DNSdist - Denial of Service via DNS over HTTPS AXFR/IXFR Request

Title source: llm

Description

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default.

References (2)

Core 2

Core References

Various Sources

https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html

Mailing List

http://www.openwall.com/lists/oss-security/2024/05/13/1

Scores

CVSS v3 7.5

EPSS 0.0108

EPSS Percentile 60.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (4)

PowerDNS/DNSdist 1.9.0

PowerDNS/DNSdist 1.9.1

PowerDNS/DNSdist 1.9.2

PowerDNS/DNSdist 1.9.3

Published May 14, 2024

Tracked Since Feb 18, 2026