| CARVIEW |
Select Language
HTTP/2 200
content-type: text/html; charset=utf-8
content-length: 19353
date: Mon, 14 Jul 2025 14:44:48 GMT
last-modified: Mon, 07 Apr 2025 12:50:54 GMT
etag: "b26f3698a1a9444bf24c5cdfef6e6cc4"
x-amz-server-side-encryption: AES256
x-amz-meta-mtime: 1744030151
x-amz-version-id: U13ZGKSkghRyhfi49MPBA2HajGLERLEy
accept-ranges: bytes
server: AmazonS3
x-cache: Miss from cloudfront
via: 1.1 8f67e81092ebd47bc649d954af911676.cloudfront.net (CloudFront)
x-amz-cf-pop: HEL51-P1
x-amz-cf-id: a_M8G1OzKbM5A2l4kIoQcAPeddZyOsQAmWsVFUty8MamloYW1-AIDw==
PowerDNS Security Advisory 2020-01: Denial of Service — PowerDNS Recursor documentation
Navigation
PowerDNS Recursor
Previous topic
PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
Next topic
PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures
Contents
- Introduction
- Getting Started
- Operating PowerDNS Recursor
- DNSSEC in the PowerDNS Recursor
- PowerDNS Recursor Settings
- PowerDNS Recursor New Style (YAML) Settings
- Advanced Configuration Using Lua
- Scripting PowerDNS Recursor
- DNS64 support
- Metrics and Statistics
- Performance Guide
- Manual Pages
- Built-in Webserver and HTTP API
- Security of the PowerDNS Recursor
- Security Advisories
- PowerDNS Security Advisory 2025-01: A crafted zone can lead to an illegal memory access in the Recursor
- PowerDNS Security Advisory 2024-04: Crafted responses can lead to a denial of service due to cache inefficiencies in the Recursor
- PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor
- PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor
- PowerDNS Security Advisory 2023-02: Deterred spoofing attempts can lead to authoritative servers being marked unavailable
- PowerDNS Security Advisory 2023-01: unbounded recursion results in program termination
- PowerDNS Security Advisory 2022-02: incomplete exception handling related to protobuf message generation
- PowerDNS Security Advisory 2022-01: incomplete validation of incoming IXFR transfer in Authoritative Server and Recursor
- PowerDNS Security Advisory 2020-07: Cache pollution
- PowerDNS Security Advisory 2020-04: Access restriction bypass
- PowerDNS Security Advisory 2020-03: Information disclosure
- PowerDNS Security Advisory 2020-02: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2020-01: Denial of Service
- PowerDNS Security Advisory 2019-02: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2019-01: Lua hooks are not applied in certain configurations
- PowerDNS Security Advisory 2018-09: Crafted query can cause a denial of service
- PowerDNS Security Advisory 2018-07: Crafted query for meta-types can cause a denial of service
- PowerDNS Security Advisory 2018-06: Packet cache pollution via crafted query
- PowerDNS Security Advisory 2018-04: Crafted answer can cause a denial of service
- PowerDNS Security Advisory 2018-01: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2017-08: Crafted CNAME answer can cause a denial of service
- PowerDNS Security Advisory 2017-07: Memory leak in DNSSEC parsing
- PowerDNS Security Advisory 2017-06: Configuration file injection in the API
- PowerDNS Security Advisory 2017-05: Cross-Site Scripting in the web interface
- PowerDNS Security Advisory 2017-03: Insufficient validation of DNSSEC signatures
- PowerDNS Security Advisory 2016-04: Insufficient validation of TSIG signatures
- PowerDNS Security Advisory 2016-02: Crafted queries can cause abnormal CPU usage
- PowerDNS Security Advisory 2015-01: Label decompression bug can cause crashes or CPU spikes
- PowerDNS Security Advisory 2014-02: PowerDNS Recursor 3.6.1 and earlier can be made to provide bad service
- PowerDNS Security Advisory 2014-01: PowerDNS Recursor 3.6.0 can be crashed remotely
- PowerDNS Security Advisory 2010-02: PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
- PowerDNS Security Advisory 2010-01: PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited
- PowerDNS Security Advisory 2008-01: System random generator can be predicted, leading to the potential to ‘spoof’ PowerDNS Recursor
- PowerDNS Security Advisory 2006-02: Zero second CNAME TTLs can make PowerDNS exhaust allocated stack space, and crash
- PowerDNS Security Advisory 2006-01: Malformed TCP queries can lead to a buffer overflow which might be exploitable
- Older security advisories
- Upgrade Guide
- Changelogs
- Newly Observed Domain Tracking
- Unique Domain Response
- End of life statements
- Frequently Asked Questions
- Compiling PowerDNS Recursor
- Cryptographic software and export control
- Internals of the PowerDNS Recursor
- Structured Logging Dictionary
- Conversion of old-style settings to YAML format
- PowerDNS/dnsdist license
This Page
- Docs
- Security Advisories
- PowerDNS Security Advisory 2020-01: Denial of Service
PowerDNS Security Advisory 2020-01: Denial of Service¶
- CVE: CVE-2020-10995
- Date: May 19th 2020
- Affects: PowerDNS Recursor from 4.1.0 up to and including 4.3.0
- Not affected: 4.1.16, 4.2.2, 4.3.1
- Severity: Medium
- Impact: Degraded Service
- Exploit: This problem can be triggered via a crafted reply
- Risk of system compromise: No
- Solution: Upgrade to a non-affected version
- Workaround: None
An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect.
This issue has been assigned CVE-2020-10995.
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 is affected. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue.
Please note that at the time of writing, PowerDNS Recursor 4.0 and below are no longer supported, as described in https://doc.powerdns.com/recursor/appendices/EOL.html.
We would like to thank Lior Shafir, Yehuda Afek and Anat Bremler-Barr for finding and subsequently reporting this issue!
Navigation
© Copyright PowerDNS.COM BV. Created using Sphinx.