Primary

Context

PowerDNS DNSdist Denial-of-Service Vulnerability via Crafted DNS over HTTPS Exchange

Vulnerability

Patched

A denial-of-service vulnerability has been identified in PowerDNS DNSdist versions 1.9.0 prior to 1.9.10 and 2.0.0. When DNSdist is set to use the nghttp2 library for processing incoming DNS over HTTPS (DoH) queries, an attacker can exploit this vulnerability by creating a DoH exchange that triggers an unbounded input/output read loop. This exploitation leads to unexpected CPU resource consumption, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes excessive CPU resource usage, leading to a denial-of-service condition where the server becomes unresponsive or significantly slower.

Remediation

Users can upgrade to DNSdist versions 1.9.11 or 2.0.1, both of which include the necessary patch. Alternatively, DNSdist can be configured to use the h2o provider, which does not have this vulnerability.

Added: Sep 18, 2025, 10:18 AM

Updated: Sep 18, 2025, 1:59 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS DNSdist Denial-of-Service Vulnerability via Crafted DNS over HTTPS Exchange

Vulnerability

Impact

Remediation

Affected Products

PowerDNS DNSdist

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating