| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Denial of service |
|
| Description |
| + |
PowerDNS Authoritative Server 4.5.0 will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected. |
| + |
|
| + |
Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)). |
| + |
|
| + |
When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service. |
|
| References |
| + |
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html |
| + |
https://downloads.powerdns.com/patches/2021-01/pdns-4.5.0-2021-01.patch |
| + |
https://github.com/PowerDNS/pdns/commit/96cae2fd21054b383a16c569a363a50f71808cd9 |
|
| Notes |
| + |
Workaround |
| + |
========== |
| + |
|
| + |
Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)). |
|