CVE-2026-33254 Overview
CVE-2026-33254 affects PowerDNS DNSdist, an open-source DNS load balancer. An attacker can open a large number of concurrent DNS-over-QUIC (DoQ) or DNS-over-HTTP/3 (DoH3) connections to trigger unlimited memory allocation. The unbounded allocation exhausts host memory and causes a denial of service against the resolver.
The issue is tracked under [CWE-770: Allocation of Resources Without Limits or Throttling]. DoQ and DoH3 are disabled by default in DNSdist, which limits exposure to deployments that explicitly enable these protocols.
Critical Impact
Remote, unauthenticated attackers can exhaust DNSdist host memory through concurrent DoQ or DoH3 connections, disrupting DNS resolution for downstream clients.
Affected Products
- PowerDNS DNSdist (versions with DoQ/DoH3 support enabled)
- Deployments using cpe:2.3:a:powerdns:dnsdist
- DNS infrastructure exposing QUIC-based DNS endpoints
Discovery Timeline
- 2026-04-22 - CVE-2026-33254 published to NVD
- 2026-04-27 - Last updated in NVD database
- Vendor advisory - DNSDist Security Advisory PowerDNS Advisory for DNSdist 2026-04
Technical Details for CVE-2026-33254
Vulnerability Analysis
DNSdist accepts DNS queries over multiple transports, including DoQ and DoH3, both built on the QUIC protocol. The vulnerability stems from missing connection-state and memory-allocation limits on these QUIC-based listeners.
When a client initiates a new DoQ or DoH3 connection, DNSdist allocates memory to track session state, streams, and pending queries. The code path does not cap the number of concurrent connections or the cumulative memory those connections may hold. An attacker scripting concurrent connection attempts forces DNSdist to allocate memory linearly with each new connection until the operating system kills the process or the host becomes unresponsive.
The flaw maps to [CWE-770]. Confidentiality and integrity are not affected, but availability is fully compromised on impacted instances.
Root Cause
The root cause is missing resource throttling on QUIC-based listeners. DNSdist does not enforce an upper bound on concurrent DoQ/DoH3 sessions or on the memory those sessions consume. Without quotas, an external attacker controls allocation behavior on the server.
Attack Vector
Exploitation requires only network reachability to a DNSdist instance with DoQ (UDP/853) or DoH3 (UDP/443 with HTTP/3) enabled. No authentication or user interaction is required. An attacker generates a high volume of concurrent QUIC handshakes and keeps connections open, holding allocated memory until the daemon is killed by the kernel out-of-memory handler.
No public exploit code or proof-of-concept has been published. Refer to the PowerDNS Advisory for DNSdist 2026-04 for vendor-supplied technical detail.
Detection Methods for CVE-2026-33254
Indicators of Compromise
- Sudden growth in resident memory used by the dnsdist process beyond historical baselines.
- High counts of concurrent QUIC connections on UDP/853 (DoQ) or UDP/443 (DoH3) from a small number of source IPs.
- Kernel out-of-memory (OOM) killer events terminating dnsdist.
- Increased DNS resolution latency or query failures reported by downstream clients.
Detection Strategies
- Alert when DNSdist process RSS exceeds a configured threshold or grows faster than a defined rate.
- Monitor QUIC connection counts per source IP and per listener using flow telemetry or eBPF probes.
- Correlate DNSdist restarts with spikes in inbound UDP traffic on DoQ/DoH3 ports.
Monitoring Recommendations
- Export DNSdist metrics through its built-in carbon or Prometheus endpoints and track udp-in-errors, queued queries, and memory counters.
- Ingest host-level OOM-killer syslog events into your SIEM and alert on dnsdist matches.
- Baseline normal DoQ/DoH3 client populations and alert on deviations in unique source counts or connection rates.
How to Mitigate CVE-2026-33254
Immediate Actions Required
- Upgrade DNSdist to the fixed release identified in the PowerDNS Advisory for DNSdist 2026-04.
- If DoQ and DoH3 are not required, confirm they remain disabled in your configuration.
- Restrict inbound UDP/853 and UDP/443 (QUIC) access to DNSdist using network ACLs or firewall rules.
Patch Information
PowerDNS released a fixed version of DNSdist alongside advisory powerdns-advisory-for-dnsdist-2026-04. Apply the vendor-supplied package update for your distribution. Validate the deployed version after upgrade and restart the dnsdist service to load the patched binary.
Workarounds
- Disable the DoQ listener by removing addDOQLocal() directives from dnsdist.conf.
- Disable the DoH3 listener by removing addDOH3Local() directives from dnsdist.conf.
- Place a rate-limiting reverse proxy or QUIC-aware load balancer in front of DNSdist to cap concurrent connections per source.
- Apply host-level resource limits via systemd unit MemoryMax= to bound the blast radius until patching completes.
# Configuration example: disable DoQ/DoH3 listeners in dnsdist.conf
# Comment out or remove any QUIC-based listeners
-- addDOQLocal("0.0.0.0:853", "/etc/dnsdist/cert.pem", "/etc/dnsdist/key.pem")
-- addDOH3Local("0.0.0.0:443", "/etc/dnsdist/cert.pem", "/etc/dnsdist/key.pem")
# Optional: bound dnsdist memory via systemd override
# /etc/systemd/system/dnsdist.service.d/override.conf
[Service]
MemoryMax=2G
Restart=on-failure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
