PowerDNS has issued an urgent security advisory for its DNSdist software, warning users of a critical vulnerability that could let attackers trigger denial-of-service (DoS) conditions by exploiting flawed DNS-over-HTTPS (DoH) exchanges.
The flaw, tracked as CVE-2025-30194 (CVSS score: 7.5), affects DNSdist versions 1.9.0 to 1.9.8 when configured to handle DoH traffic via the nghttp2 provider.
Attackers can exploit the bug by sending specially crafted DoH requests, triggering an illegal memory access (double-free) that crashes the service.
.png
)
While the vulnerability does not permit system compromise or data theft, it poses significant operational risks.
Organizations relying on DNSdist for critical DNS resolution could face prolonged outages until services are manually restored.
| Field | Details |
| Vulnerability ID | CVE-2025-30194 |
| Product | PowerDNS DNSdist |
| Affected Versions | 1.9.0 up to 1.9.8 |
| Not Affected | <1.9.0 and 1.9.9+ |
| Severity | High |
| CVSS Score | 7.5 (only for configurations with nghttp2 DoH enabled) |
| Impact | Denial of Service (DoS) via application crash |
PowerDNS released version 1.9.9 to address the flaw, urging all users to upgrade immediately.
For those unable to patch promptly, switching to the h2o provider for DoH configurations serves as a temporary workaround.
“This issue highlights the importance of proactive vulnerability management in DNS infrastructure,” stated a PowerDNS spokesperson. “We commend Charles Howes for responsibly disclosing this flaw.”
Key Advisory Points
- Affected Versions: DNSdist 1.9.0 to 1.9.8 (versions <1.9.0 and ≥1.9.9 are unaffected).
- Impact: Remote DoS via service crash.
- Exploitability: Requires DoH enabled via nghttp2; no authentication needed.
- Solution: Upgrade to DNSdist 1.9.9 or switch to h2o provider.
DNSdist, a widely used DNS load balancer and protector, plays a critical role in managing query traffic and mitigating DDoS attacks.
This vulnerability underscores the risks of memory management flaws in high-performance networking tools.
Recommendations for Users:
- Patch Immediately: Apply the 1.9.9 update from PowerDNS’s official repository.
- Audit Configurations: Confirm whether DoH is enabled via nghttp2.
- Monitor Traffic: Use DNSdist’s logging features to detect unusual DoH activity.
PowerDNS has confirmed no evidence of active exploitation but advises vigilance.
This incident follows a growing trend of DNS-layer vulnerabilities, emphasizing the need for robust code auditing in open-source infrastructure projects. PowerDNS has committed to enhancing its fuzz-testing protocols to prevent similar issues.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
