CVE-2025-30192
📋 TL;DR
This vulnerability in PowerDNS Recursor allows attackers to spoof DNS responses for ECS-enabled queries more effectively than standard queries. It affects PowerDNS Recursor installations using EDNS Client Subnet (ECS) functionality. The vulnerability enables DNS cache poisoning attacks that could redirect users to malicious sites.
💻 Affected Systems
- PowerDNS Recursor
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Successful DNS cache poisoning leading to widespread traffic redirection to attacker-controlled infrastructure, enabling phishing, malware distribution, or credential theft across all users of the affected DNS resolver.
Likely Case
Targeted DNS spoofing attacks redirecting specific users or services to malicious sites for phishing or credential harvesting.
If Mitigated
Minimal impact with proper ECS hardening enabled and updated software, though some spoofing attempts might still succeed with lower probability.
🎯 Exploit Status
Exploitation requires network access to send spoofed DNS responses and knowledge of ECS query patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.6 or 5.0.3
Vendor Advisory: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2025-04.html
Restart Required: Yes
Instructions:
1. Download PowerDNS Recursor 4.9.6 or 5.0.3 from official repositories. 2. Stop the recursor service. 3. Install the updated package. 4. Enable outgoing.edns_subnet_harden setting. 5. Restart the recursor service.
🔧 Temporary Workarounds
Enable ECS Subnet Hardening
allEnable the outgoing.edns_subnet_harden setting to enforce stricter validation of ECS responses
rec_control set outgoing.edns_subnet_harden true
Disable ECS Functionality
allTemporarily disable EDNS Client Subnet support if not required
rec_control set edns-subnet-whitelist ""
🧯 If You Can't Patch
- Enable outgoing.edns_subnet_harden setting immediately
- Implement DNS response validation at network perimeter
🔍 How to Verify
Check if Vulnerable:
Check PowerDNS Recursor version and ECS configuration: pdns_recursor --version and check recursor.conf for ECS settingsCheck Version:
pdns_recursor --version | grep VersionVerify Fix Applied:
Verify version is 4.9.6/5.0.3 or higher and outgoing.edns_subnet_harden is enabled📡 Detection & Monitoring
Log Indicators:
- Unusual DNS response patterns
- Multiple failed ECS query validations
- Suspicious source IPs in DNS queries
Network Indicators:
- Unexpected DNS response traffic patterns
- Spoofed DNS responses to ECS queries
SIEM Query:
source="pdns_recursor" AND (message="validation failed" OR message="ECS spoofing attempt")