Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33596

CVE-2026-33596: PowerDNS Dnsdist DOS Vulnerability

CVE-2026-33596 is a denial of service flaw in PowerDNS Dnsdist caused by timed query floods to TCP or TLS backends. This article covers the technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2026-33596 Overview

CVE-2026-33596 affects PowerDNS DNSdist, a DNS load balancer used in front of authoritative and recursive DNS resolvers. A client on an adjacent network can theoretically cause a mismatch between queries sent to a backend and the responses received by flooding DNSdist with perfectly timed queries routed to a TCP-only or DNS over TLS (DoT) backend. The flaw is tracked under CWE-190 (Integer Overflow or Wraparound) and impacts availability of DNS resolution.

Critical Impact

Attackers on an adjacent network can disrupt DNS query/response correlation, leading to high availability impact on DNSdist deployments fronting TCP-only or DoT backends.

Affected Products

  • PowerDNS DNSdist (versions prior to the fix referenced in the vendor advisory)
  • DNSdist deployments routing traffic to TCP-only backends
  • DNSdist deployments routing traffic to DNS over TLS (DoT) backends

Discovery Timeline

  • 2026-04-22 - CVE-2026-33596 published to NVD
  • 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-33596

Vulnerability Analysis

The vulnerability resides in how DNSdist tracks outstanding queries forwarded to TCP-only or DoT backends. When a client sends a precisely timed flood of queries, an internal counter or identifier used to correlate queries with their responses can wrap around. The wraparound allows two different in-flight queries to share the same correlation state. As a result, DNSdist may deliver a backend response to the wrong client query.

The issue is classified as [CWE-190] Integer Overflow or Wraparound. It does not provide direct code execution or data exfiltration. The practical consequence is a denial-of-service condition affecting DNS resolution reliability for clients of an affected DNSdist instance.

Root Cause

The root cause is the absence of sufficient bounds checking on the identifier or counter used to match TCP and DoT queries to their responses. Under high, precisely timed query rates, the value wraps within the window of outstanding queries, producing duplicate correlation identifiers and breaking the one-to-one mapping between request and reply.

Attack Vector

Exploitation requires network access adjacent to the DNSdist instance and the ability to send a sustained flood of DNS queries that are routed by DNSdist policy to a TCP-only or DoT backend. No authentication or user interaction is required. The attacker must time queries precisely to trigger the wraparound condition, which limits opportunistic exploitation. Refer to the DNSdist Security Advisory for protocol-level details.

No public proof-of-concept code is available. The vulnerability is described in prose only by the vendor.

Detection Methods for CVE-2026-33596

Indicators of Compromise

  • Sustained, high-rate DNS query bursts from a single adjacent-network source directed at the DNSdist listener
  • Elevated counts of TCP or DoT backend connections relative to baseline
  • Client-side DNS resolution errors, SERVFAIL responses, or responses with mismatched transaction IDs
  • Spikes in DNSdist's frontend-noerror or backend response latency metrics during query floods

Detection Strategies

  • Monitor DNSdist's built-in statistics (dnsdist console showServers() and topQueries()) for abnormal TCP/DoT query rates per backend
  • Correlate client-reported DNS anomalies with traffic volume to TCP-only or DoT backends
  • Apply network IDS rules to flag unusually high DNS query rates from single sources on the adjacent network segment

Monitoring Recommendations

  • Export DNSdist Prometheus metrics and alert on sudden increases in tcp-queries and dot-queries counters
  • Log and review backend connection churn for TCP-only and DoT backends
  • Capture packet samples at the DNSdist frontend during alerts to verify timing patterns consistent with the flood scenario

How to Mitigate CVE-2026-33596

Immediate Actions Required

  • Apply the patched DNSdist release referenced in the PowerDNS DNSdist Security Advisory 2026-04
  • Restrict DNSdist frontend exposure to trusted client networks using ACLs
  • Enable rate limiting for inbound DNS queries to reduce the feasibility of timed floods

Patch Information

PowerDNS published a fixed version of DNSdist in advisory powerdns-advisory-for-dnsdist-2026-04. Operators should upgrade to the version listed in that advisory. The patch corrects the correlation logic for queries forwarded to TCP-only and DoT backends.

Workarounds

  • Where possible, route backend traffic over UDP or DNS over HTTPS (DoH) until the patch is applied
  • Tighten the DNSdist setACL() configuration to permit only known client subnets
  • Configure DNSdist query rate limiting using addAction() with MaxQPSIPRule() to throttle abusive sources
bash
# Configuration example: restrict ACL and apply per-IP QPS limit in dnsdist.conf
setACL({"10.0.0.0/8", "192.168.0.0/16"})
addAction(MaxQPSIPRule(100), DropAction())

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.