Primary

Context

PowerDNS Recursor Denial-of-Service Vulnerability via TCP NOTIFY Queries

Vulnerability

Patched

A denial-of-service vulnerability has been identified in PowerDNS Recursor versions up to and including 5.3.2, 5.2.6, and 5.1.8. The issue arises from insufficient validation of incoming NOTIFY queries over TCP, allowing an attacker to clear cached records, which can disrupt normal DNS resolution processes.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by allowing the removal of cached DNS records, potentially causing increased latency or failure in DNS resolution.

Remediation

Users can upgrade to PowerDNS Recursor versions 5.3.3, 5.2.7, or 5.1.9, or configure their server to prevent incoming NOTIFY queries over TCP.

Added: Dec 9, 2025, 7:17 PM

Updated: Dec 9, 2025, 7:17 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

7.0

remediation

7.9

relevance

1.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

7.0

remediation

7.9

relevance

1.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS Recursor Denial-of-Service Vulnerability via TCP NOTIFY Queries

Vulnerability

Impact

Remediation

Affected Products

PowerDNS Recursor

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating