CVE-2026-24029 Overview
CVE-2026-24029 is an authorization bypass vulnerability affecting DNSdist's DNS over HTTPS (DoH) frontend when using the nghttp2 provider. When the early_acl_drop (or earlyACLDrop in Lua) option is disabled from its default enabled state, the Access Control List (ACL) check is completely skipped. This allows all clients to send DoH queries regardless of the configured ACL restrictions, effectively bypassing intended network security controls.
Critical Impact
Unauthorized clients can bypass ACL restrictions and send DoH queries to the DNS server, potentially enabling DNS reconnaissance, data exfiltration via DNS tunneling, or abuse of DNS infrastructure.
Affected Products
- DNSdist with nghttp2 provider for DNS over HTTPS
- DNSdist configurations with early_acl_drop/earlyACLDrop set to disabled
- DNS over HTTPS frontends using nghttp2
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-24029 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-24029
Vulnerability Analysis
This vulnerability falls under CWE-863 (Incorrect Authorization), where the software performs an authorization check but does so incorrectly, allowing attackers to bypass intended access restrictions. In the context of DNSdist, the ACL mechanism is designed to control which clients are permitted to send DNS queries to the server. However, when operating a DNS over HTTPS frontend with the nghttp2 provider, a specific configuration scenario causes this security control to be entirely bypassed.
The vulnerability is network-accessible and requires no authentication or user interaction to exploit. An attacker can send crafted DoH queries from any network location, and these queries will be processed by the DNS server without the expected ACL validation. This creates a significant security gap for organizations relying on ACLs to restrict DNS query sources.
Root Cause
The root cause lies in the conditional logic handling the early_acl_drop option within the nghttp2 DoH provider code path. When this option is explicitly disabled (the default is enabled), the code path that performs ACL validation is skipped entirely rather than being deferred to a later stage. This means:
- The early_acl_drop option when set to false/disabled was intended to defer ACL checks, not skip them
- The nghttp2 provider implementation fails to perform the deferred ACL check
- All incoming DoH requests proceed without any source-based access control validation
Attack Vector
The attack vector is network-based with low complexity. An attacker can exploit this vulnerability by:
- Identifying a DNSdist server with DNS over HTTPS enabled using the nghttp2 provider
- Confirming the target has early_acl_drop disabled (either through configuration leak or trial)
- Sending DoH queries from IP addresses that should be blocked by the configured ACL
- Successfully receiving DNS responses despite being on a blocklist or outside the allowlist
The vulnerability can be exploited to perform unauthorized DNS queries, potentially enabling DNS-based reconnaissance of internal networks, DNS tunneling for data exfiltration, or abuse of the DNS infrastructure for amplification attacks. Since DoH traffic is encrypted, detection of malicious queries becomes more challenging.
Detection Methods for CVE-2026-24029
Indicators of Compromise
- DNS over HTTPS queries originating from IP addresses not in the configured ACL allowlist
- Unusual volume of DoH requests from previously blocked or unknown IP ranges
- DNS query logs showing responses to clients that should be denied based on ACL configuration
Detection Strategies
- Review DNSdist configuration files for early_acl_drop = false or earlyACLDrop = false settings on DoH frontends
- Implement network monitoring to detect DoH traffic from unauthorized source IP addresses
- Enable verbose logging on DNSdist to capture client IP addresses and correlate with expected ACL rules
- Deploy IDS/IPS rules to alert on DNS over HTTPS traffic patterns from suspicious sources
Monitoring Recommendations
- Monitor DNSdist access logs for queries from IP addresses outside configured ACL ranges
- Set up alerting for configuration changes to early_acl_drop settings
- Implement regular configuration audits to ensure ACL settings remain properly enforced
- Track DNS query patterns for anomalies that might indicate unauthorized access
How to Mitigate CVE-2026-24029
Immediate Actions Required
- Verify the early_acl_drop setting is enabled (default) on all DNS over HTTPS frontends using nghttp2
- Review and audit current DNSdist configurations for any DoH frontends with this option disabled
- Apply the vendor-provided security patch as soon as available
- Consider temporarily disabling DoH frontends if ACL enforcement is critical and patching is not immediately possible
Patch Information
PowerDNS has released a security advisory addressing this vulnerability. Administrators should update DNSdist to the latest patched version as described in the DNSdist Security Advisory. The patch ensures that ACL checks are properly performed even when early_acl_drop is disabled, maintaining the intended deferred check behavior rather than skipping validation entirely.
Workarounds
- Ensure early_acl_drop remains enabled (default setting) on all DoH frontends using nghttp2
- Implement network-level access controls (firewall rules) as an additional layer of defense
- Use a reverse proxy with its own ACL enforcement in front of DNSdist DoH endpoints
- Consider switching to a different DoH provider if available until the patch is applied
# Configuration example - Ensure early_acl_drop is enabled (default)
# In your dnsdist.conf, verify DoH frontend configuration:
# earlyACLDrop should be true (default) or omitted entirely
# Example secure DoH configuration
addDOHLocal("0.0.0.0:443", "/etc/ssl/certs/server.crt", "/etc/ssl/private/server.key", { "/" }, { earlyACLDrop = true })
# Verify ACL is properly configured
setACL({"192.168.1.0/24", "10.0.0.0/8"})
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
