CVE-2025-30193 Information

Description

In some circumstances when DNSdist is configured to allow an unlimited number of queries on a single incoming TCP connection from a client an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist causing a denial of service.

The remedy is: upgrade to the patched 1.9.10 version.

A workaround is to restrict the maximum number of queries on incoming TCP connections to a safe value like 50 via the setMaxTCPQueriesPerConnection setting.

We would like to thank Renaud Allard for bringing this issue to our attention.

Reference

https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-03.html