Severity |
|
Remote |
|
Type |
- |
Unknown |
+ |
Denial of service |
|
Description |
+ |
PowerDNS Authoritative Server 4.5.0 will crash with an uncaught out of bounds exception if it receives a query with QTYPE 65535. The offending code was not present in earlier versions, and they are not affected. |
+ |
|
+ |
Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)). |
+ |
|
+ |
When the PowerDNS Authoritative Server is run inside a supervisor like supervisord or systemd, an uncaught exception crash will lead to an automatic restart, limiting the impact to a somewhat degraded service. |
|
References |
+ |
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2021-01.html |
+ |
https://downloads.powerdns.com/patches/2021-01/pdns-4.5.0-2021-01.patch |
+ |
https://github.com/PowerDNS/pdns/commit/96cae2fd21054b383a16c569a363a50f71808cd9 |
|
Notes |
+ |
Workaround |
+ |
========== |
+ |
|
+ |
Users that cannot upgrade immediately, but do have dnsdist in place, can use dnsdist to filter such queries before they do harm, with something like addAction(QTypeRule(65535), RCodeAction(DNSRCode.REFUSED)). |
|