| CARVIEW |
Select Language
HTTP/2 200
content-type: text/html; charset=utf-8
content-length: 19948
date: Mon, 14 Jul 2025 10:38:42 GMT
last-modified: Mon, 07 Apr 2025 12:50:55 GMT
etag: "52d333161cfe5a2835b552f8d443a358"
x-amz-server-side-encryption: AES256
x-amz-meta-mtime: 1744030152
x-amz-version-id: 2vrgHLB7gldj1ZkanztVuPrOCnCIv2BD
accept-ranges: bytes
server: AmazonS3
x-cache: Miss from cloudfront
via: 1.1 14b5d848e0a4cab1de054891ea1e787c.cloudfront.net (CloudFront)
x-amz-cf-pop: HEL51-P1
x-amz-cf-id: uHNJ10aBwm2FN12DwdN9tkDuGitQTfLd9rdH7Aa_4M5mDV4ihjl4Vg==
PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination — PowerDNS Recursor documentation
Navigation
PowerDNS Recursor
Previous topic
Next topic
Contents
- Introduction
- Getting Started
- Operating PowerDNS Recursor
- DNSSEC in the PowerDNS Recursor
- PowerDNS Recursor Settings
- PowerDNS Recursor New Style (YAML) Settings
- Advanced Configuration Using Lua
- Scripting PowerDNS Recursor
- DNS64 support
- Metrics and Statistics
- Performance Guide
- Manual Pages
- Built-in Webserver and HTTP API
- Security of the PowerDNS Recursor
- Security Advisories
- PowerDNS Security Advisory 2025-01: A crafted zone can lead to an illegal memory access in the Recursor
- PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
- PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor
- PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
- PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
- PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
- PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation
- PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor
- PowerDNS Security Advisory 2020-07: Cache pollution
- PowerDNS Security Advisory 2020-04: Access restriction bypass
- PowerDNS Security Advisory 2020-03: Information disclosure
- PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2020-01: Denial of Service
- PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain configurations
- PowerDNS Security Advisory 2018-09: Crafted query can cause a denial of service
- PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service
- PowerDNS Security Advisory 2018-06: Packet cache pollution via crafted query
- PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service
- PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2017-08: Crafted CNAME answer can cause a denial of service
- PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing
- PowerDNS Security Advisory 2017-06: Configuration file injection in the API
- PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface
- PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures
- PowerDNS Security Advisory 2016-02: Crafted queries can cause abnormal CPU usage
- PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes
- PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
- PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
- PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
- PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
- PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to ‘spoof’ PowerDNS Recursor
- PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
- PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable
- Older security advisories
- Upgrade Guide
- Changelogs
- Newly Observed Domain Tracking
- Unique Domain Response
- End of life statements
- Frequently Asked Questions
- Compiling PowerDNS Recursor
- Cryptographic software and export control
- Internals of the PowerDNS Recursor
- Structured Logging Dictionary
- Conversion of old-style settings to YAML format
- PowerDNS/dnsdist license
This Page
- Docs
- Security Advisories
- PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination¶
- CVE: CVE-2023-22617
- Date: 20th of January 2023
- Affects: PowerDNS Recursor 4.8.0
- Not affected: PowerDNS Recursor < 4.8.0, PowerDNS Recursor 4.8.1
- Severity: High
- Impact: Denial of service
- Exploit: This problem can be triggered by a remote attacker with access to the recursor by querying names from specific mis-configured domains
- Risk of system compromise: None
- Solution: Upgrade to patched version
An issue in the processing of queries for misconfigured domains has been found in PowerDNS Recursor 4.8.0, allowing a remote attacker to crash the recursor by sending a DNS query for one of these domains. The issue happens because the recursor enters a unbounded loop, exceeding its stack memory. Because of the specific way in which this issue happens, we do not believe this issue to be exploitable for code execution.
PowerDNS Recursor versions before 4.8.0 are not affected.
Note that when the PowerDNS Recursor is run inside a supervisor like supervisord or systemd, a crash will lead to an automatic restart, limiting the impact to a somewhat degraded service.
CVSS 3.0 score: 8.2 (High) https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:H/RL:U/RC:C
Thanks to applied-privacy.net for reporting this issue and their assistance in diagnosing it.
Navigation
© Copyright PowerDNS.COM BV. Created using Sphinx.