CVE-2026-33596 Overview
CVE-2026-33596 affects PowerDNS DNSdist, a DNS load balancer used in front of authoritative and recursive DNS resolvers. A client on an adjacent network can theoretically cause a mismatch between queries sent to a backend and the responses received by flooding DNSdist with perfectly timed queries routed to a TCP-only or DNS over TLS (DoT) backend. The flaw is tracked under CWE-190 (Integer Overflow or Wraparound) and impacts availability of DNS resolution.
Critical Impact
Attackers on an adjacent network can disrupt DNS query/response correlation, leading to high availability impact on DNSdist deployments fronting TCP-only or DoT backends.
Affected Products
- PowerDNS DNSdist (versions prior to the fix referenced in the vendor advisory)
- DNSdist deployments routing traffic to TCP-only backends
- DNSdist deployments routing traffic to DNS over TLS (DoT) backends
Discovery Timeline
- 2026-04-22 - CVE-2026-33596 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-33596
Vulnerability Analysis
The vulnerability resides in how DNSdist tracks outstanding queries forwarded to TCP-only or DoT backends. When a client sends a precisely timed flood of queries, an internal counter or identifier used to correlate queries with their responses can wrap around. The wraparound allows two different in-flight queries to share the same correlation state. As a result, DNSdist may deliver a backend response to the wrong client query.
The issue is classified as [CWE-190] Integer Overflow or Wraparound. It does not provide direct code execution or data exfiltration. The practical consequence is a denial-of-service condition affecting DNS resolution reliability for clients of an affected DNSdist instance.
Root Cause
The root cause is the absence of sufficient bounds checking on the identifier or counter used to match TCP and DoT queries to their responses. Under high, precisely timed query rates, the value wraps within the window of outstanding queries, producing duplicate correlation identifiers and breaking the one-to-one mapping between request and reply.
Attack Vector
Exploitation requires network access adjacent to the DNSdist instance and the ability to send a sustained flood of DNS queries that are routed by DNSdist policy to a TCP-only or DoT backend. No authentication or user interaction is required. The attacker must time queries precisely to trigger the wraparound condition, which limits opportunistic exploitation. Refer to the DNSdist Security Advisory for protocol-level details.
No public proof-of-concept code is available. The vulnerability is described in prose only by the vendor.
Detection Methods for CVE-2026-33596
Indicators of Compromise
- Sustained, high-rate DNS query bursts from a single adjacent-network source directed at the DNSdist listener
- Elevated counts of TCP or DoT backend connections relative to baseline
- Client-side DNS resolution errors, SERVFAIL responses, or responses with mismatched transaction IDs
- Spikes in DNSdist's frontend-noerror or backend response latency metrics during query floods
Detection Strategies
- Monitor DNSdist's built-in statistics (dnsdist console showServers() and topQueries()) for abnormal TCP/DoT query rates per backend
- Correlate client-reported DNS anomalies with traffic volume to TCP-only or DoT backends
- Apply network IDS rules to flag unusually high DNS query rates from single sources on the adjacent network segment
Monitoring Recommendations
- Export DNSdist Prometheus metrics and alert on sudden increases in tcp-queries and dot-queries counters
- Log and review backend connection churn for TCP-only and DoT backends
- Capture packet samples at the DNSdist frontend during alerts to verify timing patterns consistent with the flood scenario
How to Mitigate CVE-2026-33596
Immediate Actions Required
- Apply the patched DNSdist release referenced in the PowerDNS DNSdist Security Advisory 2026-04
- Restrict DNSdist frontend exposure to trusted client networks using ACLs
- Enable rate limiting for inbound DNS queries to reduce the feasibility of timed floods
Patch Information
PowerDNS published a fixed version of DNSdist in advisory powerdns-advisory-for-dnsdist-2026-04. Operators should upgrade to the version listed in that advisory. The patch corrects the correlation logic for queries forwarded to TCP-only and DoT backends.
Workarounds
- Where possible, route backend traffic over UDP or DNS over HTTPS (DoH) until the patch is applied
- Tighten the DNSdist setACL() configuration to permit only known client subnets
- Configure DNSdist query rate limiting using addAction() with MaxQPSIPRule() to throttle abusive sources
# Configuration example: restrict ACL and apply per-IP QPS limit in dnsdist.conf
setACL({"10.0.0.0/8", "192.168.0.0/16"})
addAction(MaxQPSIPRule(100), DropAction())
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
