CVE-2024-25581 Overview
CVE-2024-25581 is a denial-of-service vulnerability in PowerDNS DNSdist. The flaw exists when incoming DNS over HTTPS (DoH) support is enabled using the nghttp2 provider and queries are routed to a TCP-only or DNS over TLS (DoT) backend. An attacker can trigger an assertion failure by sending a zone transfer request (AXFR or IXFR) over DoH, causing the DNSdist process to stop. The vulnerability is classified as Improper Input Validation [CWE-20]. DoH is not enabled by default, and backends use plain DNS (Do53) by default, limiting the exposed configuration footprint.
Critical Impact
A single unauthenticated DoH request containing an AXFR or IXFR query can crash the DNSdist process, interrupting DNS resolution for all downstream clients.
Affected Products
- PowerDNS DNSdist with incoming DoH enabled via the nghttp2 provider
- DNSdist deployments routing queries to TCP-only backends
- DNSdist deployments routing queries to DNS over TLS backends
Discovery Timeline
- 2024-05-14 - CVE-2024-25581 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-25581
Vulnerability Analysis
DNSdist is a DNS load balancer that proxies queries between clients and authoritative or recursive backends. The vulnerability surfaces during a specific protocol-translation path: a client sends a query over DoH using the nghttp2 HTTP/2 provider, and DNSdist forwards that query to a backend reachable only via TCP or DoT.
Zone transfer queries (AXFR and IXFR) require persistent TCP semantics with multi-message responses. DNSdist's DoH-to-TCP translation logic does not correctly handle these query types. When the code path encounters an AXFR or IXFR query that must be relayed to a stream-oriented backend, an internal invariant fails and the process aborts on an assertion. This terminates the daemon and halts DNS service for every client behind the proxy.
Root Cause
The root cause is improper input validation [CWE-20] in DNSdist. The DoH ingestion path accepts request types that the downstream TCP or DoT relay path cannot service. Rather than rejecting the unsupported query and returning an error, DNSdist proceeds until reaching a runtime assertion that enforces state assumptions, leading to abnormal termination.
Attack Vector
Exploitation requires no authentication, no user interaction, and only network access to the DoH listener. An attacker constructs a DNS query with QTYPE set to AXFR (252) or IXFR (251) and submits it through the DoH endpoint. If DNSdist is configured to forward to a TCP-only or DoT backend, the assertion fires and the process exits. The attack is remotely repeatable against any DNSdist instance with the vulnerable configuration. Refer to the DNSDist Security Advisory 2024-03 for protocol-level technical details.
Detection Methods for CVE-2024-25581
Indicators of Compromise
- Unexpected DNSdist process termination accompanied by assertion failure messages in system logs or core dumps.
- DoH access logs containing requests with QTYPE 252 (AXFR) or QTYPE 251 (IXFR) from clients that are not authorized zone transfer peers.
- Sudden drops in DNS query throughput correlated with DoH listener activity from a single source.
Detection Strategies
- Inspect DoH request logs for zone transfer query types originating from arbitrary external clients.
- Correlate DNSdist crash events with preceding DoH traffic patterns using centralized logging.
- Alert on repeated DNSdist service restarts within short time windows, which indicates exploitation attempts.
Monitoring Recommendations
- Enable verbose DoH query logging on DNSdist and forward logs to a SIEM for retention and search.
- Monitor process uptime and restart counters for the DNSdist daemon via systemd or equivalent supervisors.
- Track backend protocol distribution (Do53 vs TCP vs DoT) to identify deployments matching the vulnerable configuration.
How to Mitigate CVE-2024-25581
Immediate Actions Required
- Upgrade DNSdist to a fixed release listed in DNSDist Security Advisory 2024-03.
- Audit DNSdist configuration files for addDOHLocal() directives combined with TCP-only or DoT backend declarations.
- Restrict access to DoH listeners using network ACLs while patching is scheduled.
Patch Information
The PowerDNS project published fixed DNSdist versions in conjunction with the security advisory. Administrators should review the DNSDist Security Advisory 2024-03 and the OpenWall OSS Security Discussion for the exact fixed version numbers applicable to their deployment.
Workarounds
- Disable incoming DoH support if it is not required, returning DNSdist to its default non-vulnerable state.
- Switch the DoH provider away from nghttp2 if an alternative provider is supported in your build.
- Route DoH traffic only to Do53 backends until the patch is applied, since plain DNS backends are not affected.
- Filter AXFR and IXFR query types at the DoH ingress using DNSdist rules that drop these QTYPEs before backend selection.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

