PowerDNS is een DNS-server met een database als backend, waardoor het beheer van een groot aantal DNS-entries op een gemakkelijke manier kan plaatsvinden. De ontwikkelaars hebben eerder besloten om de twee delen waaruit PowerDNS bestaat, een recursor en een authoritative nameserver, apart uit te geven, waardoor sneller en gerichter een nieuwe versie kan worden uitgebracht, aldus de ontwikkelaars.Today we have released PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1. These releases fix PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in Recursor:
PowerDNS Security Advisory 2025-06: Crafted delegations or IP fragments can poison cached delegations in RecursorCVE: CVE-2025-59023
Date: 15th October 2025
Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 5.3.0
Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1
Severity: High
Impact: Cache pollution
Exploit: This problem can be triggered by an attacker spoofing crafted delegations
Risk of system compromise: None
Solution: Upgrade to patched version
CVSS Score: 8.2, see here for more information
CVE: CVE-2025-59024
Date: 15th October 2025
Affects: PowerDNS Recursor up to and including 5.1.7, 5.2.5 and 5.3.0
Not affected: PowerDNS Recursor 5.1.8, 5.2.6 and 5.3.1
Severity: Medium
Impact: Cache pollution
Exploit: This problem can be triggered by an attacker using an UDP IP fragments attack
Risk of system compromise: None
Solution: Upgrade to patched version
CVSS Score: 6.5 see here for more information
It has been brought to our attention that the Recursor does not apply strict enough validation of received delegation information. The malicious delegation information can be sent by an attacker spoofing packets.
The updated versions of the Recursor apply strict validation of the received delegation information from authoritative servers. In versions 5.2.6 and 5.3.1 the already existing validations are tightened further, while version 5.1.8 contains a full backport of the strict validations. Note that other vendors will release updated software to fix similar issues as well. Please refer to the changelogs (5.1.8, 5.2.6 and 5.3.1) for additional details. Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The tarballs (5.1.8, 5.2.6, 5.3.1) (with signature files 5.1.8, 5.2.6, 5.3.1) are available from our download server and packages for several distributions are available from our repository. Recently we made changes to our Open Source End of Life policy. Older release trains are now supported for one year after the following major release. Consult the EOL policy for more details.
:strip_exif()/i/2006448326.png?f=thumbmedium)