CVE-2024-25581: 
Linux Debian vulnerability analysis and mitigation

CVE-2024-25581 is a vulnerability in PowerDNS DNSdist software versions 1.9.0 through 1.9.3, discovered by Daniel Stirnimann from Switch and disclosed on May 13th, 2024. The vulnerability affects DNSdist's handling of DNS over HTTPS (DoH) requests when using the nghttp2 provider. It has been assigned a CVSS score of 7.5 (High), though this severity only applies to specific configurations where incoming DoH is enabled and a TCP-only/DoT backend is enabled (PowerDNS Advisory).

The vulnerability occurs when incoming DNS over HTTPS support is enabled using the nghttp2 provider and queries are routed to a tcp-only or DNS over TLS backend. An attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS. Importantly, DNS over HTTPS is not enabled by default, and backends typically use plain DNS (Do53) by default, which limits the exposure to this vulnerability under standard configurations (PowerDNS Advisory, Security Online).

When successfully exploited, the vulnerability leads to a denial of service condition as the DNSdist process stops abruptly. This can potentially disrupt DNS resolution services for large-scale service providers, including internet service providers (ISPs) and hosting providers (Security Online).

PowerDNS has released DNSdist version 1.9.4 to address this vulnerability. For users unable to upgrade immediately, two workarounds are available: 1) Refuse incoming XFR requests via a DNSdist rule using 'addAction(OrRule({QTypeRule(DNSQType.AXFR), QTypeRule(DNSQType.IXFR)}), RCodeAction(DNSRCode.REFUSED))' or 2) Switch to the legacy h2o provider by setting 'library='h2o'' in the addDOHLocal directive. Additionally, a minimal patch is available for version 1.9.3 (PowerDNS Advisory, OSS Security).