Dnsdist
by PowerDNS
CVEs (25)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7557 | Hig | 0.57 | 8.8 | 0.01 | Aug 22, 2017 | dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack. | ||
| CVE-2026-33593 | Hig | 0.49 | 7.5 | 0.00 | Apr 22, 2026 | A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query. | ||
| CVE-2025-30193 | Hig | 0.49 | 7.5 | 0.01 | May 20, 2025 | In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist,… | ||
| CVE-2025-30194 | Hig | 0.49 | 7.5 | 0.02 | Apr 29, 2025 | When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched… | ||
| CVE-2024-25581 | Hig | 0.49 | 7.5 | 0.01 | May 14, 2024 | When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing… | ||
| CVE-2026-33602 | Med | 0.42 | 6.5 | 0.01 | Apr 22, 2026 | A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service. | ||
| CVE-2026-24029 | Med | 0.42 | 6.5 | 0.00 | Mar 31, 2026 | When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL. | ||
| CVE-2016-7069 | Med | 0.39 | 5.9 | 0.05 | Sep 11, 2018 | An issue has been found in dnsdist before 1.2.0 in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding… | ||
| CVE-2026-27853 | Med | 0.38 | 5.9 | 0.00 | Mar 31, 2026 | An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and… | ||
| CVE-2026-33595 | Med | 0.34 | 5.3 | 0.00 | Apr 22, 2026 | A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection. | ||
| CVE-2026-33594 | Med | 0.34 | 5.3 | 0.00 | Apr 22, 2026 | A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection. | ||
| CVE-2026-33254 | Med | 0.34 | 5.3 | 0.00 | Apr 22, 2026 | An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default. | ||
| CVE-2026-33260 | Med | 0.34 | 5.3 | 0.01 | Apr 22, 2026 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. | ||
| CVE-2026-33257 | Med | 0.34 | 5.3 | 0.01 | Apr 22, 2026 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. | ||
| CVE-2026-24030 | Med | 0.34 | 5.3 | 0.01 | Mar 31, 2026 | An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC… | ||
| CVE-2026-24028 | Med | 0.34 | 5.3 | 0.01 | Mar 31, 2026 | An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory,… | ||
| CVE-2026-33598 | Med | 0.31 | 4.8 | 0.01 | Apr 22, 2026 | A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache. | ||
| CVE-2026-27854 | Med | 0.31 | 4.8 | 0.00 | Mar 31, 2026 | An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus… | ||
| CVE-2026-33597 | Low | 0.24 | 3.7 | 0.00 | Apr 22, 2026 | PRSD detection denial of service | ||
| CVE-2025-30187 | Low | 0.24 | 3.7 | 0.00 | Sep 18, 2025 | In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption… |
- risk 0.57cvss 8.8epss 0.01
dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.
- risk 0.49cvss 7.5epss 0.00
A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
- risk 0.49cvss 7.5epss 0.01
In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist,…
- risk 0.49cvss 7.5epss 0.02
When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched…
- risk 0.49cvss 7.5epss 0.01
When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing…
- risk 0.42cvss 6.5epss 0.01
A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.
- risk 0.42cvss 6.5epss 0.00
When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.
- risk 0.39cvss 5.9epss 0.05
An issue has been found in dnsdist before 1.2.0 in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding…
- risk 0.38cvss 5.9epss 0.00
An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and…
- risk 0.34cvss 5.3epss 0.00
A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.
- risk 0.34cvss 5.3epss 0.00
A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.
- risk 0.34cvss 5.3epss 0.00
An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
- risk 0.34cvss 5.3epss 0.01
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
- risk 0.34cvss 5.3epss 0.01
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
- risk 0.34cvss 5.3epss 0.01
An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC…
- risk 0.34cvss 5.3epss 0.01
An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory,…
- risk 0.31cvss 4.8epss 0.01
A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.
- risk 0.31cvss 4.8epss 0.00
An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus…
- risk 0.24cvss 3.7epss 0.00
PRSD detection denial of service
- risk 0.24cvss 3.7epss 0.00
In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption…
Page 1 of 2