A significant security flaw, identified as CVE-2025-30194, has been discovered in PowerDNS’s DNSdist, a widely utilized DNS load balancer and security tool. This vulnerability allows remote attackers to induce denial-of-service (DoS) conditions by exploiting weaknesses in the DNS-over-HTTPS (DoH) implementation.
Understanding the Vulnerability
The issue affects DNSdist versions 1.9.0 through 1.9.8 when configured to use the nghttp2 library for processing DoH requests. Attackers can exploit this flaw by sending specially crafted HTTP/2 requests, leading to a double-free memory corruption event. This critical error, classified under CWE-416 (Use After Free), results in a segmentation fault that terminates the DNSdist process, thereby disrupting DNS resolution services.
Technical Details
The vulnerability arises from improper memory management during the handling of maliciously structured DoH exchanges. By sending specific HTTP/2 frame sequences, attackers can cause DNSdist to attempt freeing the same memory region twice, leading to a crash. This attack does not require authentication and can be executed remotely over the network, earning it a CVSS v3.1 score of 7.5, indicating a high severity level.
It’s important to note that this issue only manifests in configurations using the nghttp2 provider for incoming DoH traffic, which has been the default setting since DNSdist version 1.9.0. Systems utilizing the legacy h2o library or running earlier versions of DNSdist are not affected.
Potential Impact
DNSdist is often deployed in critical infrastructure roles, including recursive resolver farms, authoritative DNS clusters, and networks protected against DDoS attacks. Therefore, this vulnerability poses significant operational risks. An unpatched instance could experience prolonged outages, as restarting the crashed service would only provide temporary relief until the next attack occurs.
Discovery and Response
The vulnerability was discovered by Charles Howes, who promptly reported it to PowerDNS. In response, PowerDNS released a fixed version, 1.9.9, demonstrating the importance of community involvement in maintaining the security of critical infrastructure software.
Mitigation Measures
To address this vulnerability, users are advised to upgrade to the patched version 1.9.9 of DNSdist. For those unable to upgrade immediately, a temporary workaround is to switch to the h2o provider until the update can be implemented. This ensures that DoH services remain operational while preventing exploitation of the vulnerability.
Conclusion
The discovery of this vulnerability underscores the importance of keeping software up to date, especially for critical infrastructure components like DNS services. As the adoption of DoH continues to grow, ensuring the security of these services is paramount to prevent disruptions and maintain network integrity. Users are encouraged to apply the patch or implement the workaround to protect against potential attacks.
