CVE-2024-25581
📋 TL;DR
This vulnerability allows an attacker to cause a denial of service in DNSdist by sending a DNS zone transfer request (AXFR/IXFR) over DNS over HTTPS when specific configurations are enabled. It affects DNSdist installations with DoH enabled using the nghttp2 provider and backends configured for TCP-only or DNS over TLS. The service crashes due to an assertion failure.
💻 Affected Systems
- DNSdist
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
DNSdist process crashes, causing complete DNS resolution failure for all clients relying on it, leading to extended service outage.
Likely Case
Targeted DoS attack against vulnerable DNSdist instances, causing temporary service disruption until process restarts.
If Mitigated
No impact if DoH is disabled or proper filtering/patches are applied.
🎯 Exploit Status
Simple DoS attack requiring only ability to send crafted DoH requests. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: DNSdist 1.9.4 and 1.10.0
Vendor Advisory: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2024-03.html
Restart Required: Yes
Instructions:
1. Download patched version from PowerDNS repository. 2. Stop DNSdist service. 3. Install updated package. 4. Restart DNSdist service. 5. Verify service is running and responding.
🔧 Temporary Workarounds
Disable DNS over HTTPS
allDisable DoH functionality entirely if not required.
# Edit DNSdist configuration and remove/comment DoH settings
# Remove lines like: addDOHLocal('0.0.0.0:443')
Filter AXFR/IXFR requests
allAdd rule to block zone transfer requests over DoH.
# Add to DNSdist config:
addAction(MakeRule('\\. IN AXFR'), DropAction())
addAction(MakeRule('\\. IN IXFR'), DropAction())
🧯 If You Can't Patch
- Disable DNS over HTTPS support completely
- Implement network filtering to block AXFR/IXFR requests from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check DNSdist configuration for DoH enabled with nghttp2 provider and TCP/TLS backends. Check version with 'dnsdist --version'.Check Version:
dnsdist --versionVerify Fix Applied:
Verify version is 1.9.4 or 1.10.0 or higher. Test DoH functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- DNSdist process crashes/restarts
- Assertion failure logs mentioning DoH or AXFR/IXFR
Network Indicators:
- Unusual volume of DoH requests for AXFR/IXFR queries
SIEM Query:
source="dnsdist" AND ("assertion failure" OR "crash" OR "AXFR" OR "IXFR")