PowerDNS has announced the release of DNSdist 1.9.10, a critical update for its high-performance DNS proxy and load balancer, addressing a significant security flaw tracked as CVE-2025-30193.
This vulnerability, rated with a CVSS score of 7.5, allows remote, unauthenticated attackers to cause a Denial-of-Service (DoS) condition by exploiting the way DNSdist handles persistent TCP connections.
By sending specially crafted TCP payloads, attackers could exhaust server resources, potentially rendering DNS services unavailable to legitimate users.
The issue was initially reported through the PowerDNS public IRC channel, prompting a rapid response from the development team.
DNSdist typically operates in front of the PowerDNS Recursor, managing and directing DNS queries for optimal speed and security.
The vulnerability specifically affected the TCP connection handling mechanism, making it possible for attackers to disrupt query flow and overwhelm the service.
Mitigation and Work-Arounds: setMaxTCPQueriesPerConnection
While the recommended course of action is to upgrade to DNSdist 1.9.10 immediately, PowerDNS has provided a temporary mitigation for environments where immediate patching is not feasible.
Administrators can use the setMaxTCPQueriesPerConnection directive to limit the number of queries accepted over a single incoming TCP connection.
Setting this value to 50 has been tested and found to be effective without negatively impacting performance.
lua-- Example configuration to mitigate CVE-2025-30193
setMaxTCPQueriesPerConnection(50)
This configuration change helps prevent attackers from exploiting the flaw by restricting the potential for resource exhaustion via persistent TCP connections.
PowerDNS emphasizes that this is a temporary measure and that upgrading to the fixed version remains the best protection.
Additional Stability and Performance Improvements
Beyond the critical security fix, DNSdist 1.9.10 delivers several other important bug fixes and enhancements aimed at improving stability and performance:
- On FreeBSD systems, source addresses are now only passed on sockets bound to
ANY, reducing unnecessary exposure and improving network handling. - The update introduces a limit on the number of proxy protocol-enabled outgoing TCP connections, which helps prevent resource overuse in complex deployments.
- Cache lookup logic has been improved for scenarios involving unavailable TCP-only backends, ensuring more reliable DNS resolution.
- A memory corruption issue related to the
getAddressInfofunction has been resolved, enhancing overall software robustness. - The proxy protocol payload size is now set only when needed, optimizing performance and reducing unnecessary processing overhead.
The release tarball, its cryptographic signature, and distribution-specific packages are available from the official PowerDNS repositories.
The development team encourages users to review the full changelog and documentation on the DNSdist website and to report any issues via the mailing list or GitHub.
PowerDNS continues to be a trusted provider for large-scale DNS service operators, underpinning secure and scalable DNS infrastructure for ISPs, cloud providers, and enterprises worldwide.
With this release, the company reaffirms its commitment to rapid response and proactive security for the global DNS ecosystem.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=This vulnerability, rated with a CVSS score of 7.5, allows remote, unauthenticated attackers to cause a DoS condition by exploiting the way DNSdist handles persistent TCP connections.){kind=link}