CVE-2026-42004 Overview
CVE-2026-42004 affects PowerDNS DNSdist, a DNS load balancer and traffic manager. An attacker can craft a malformed Extension Mechanisms for DNS (EDNS) OPT record that DNSdist's filtering rules ignore. When DNSdist subsequently inserts an EDNS Client Subnet (ECS) option, it rewrites the malformed record into a valid OPT record. The backend resolver then processes EDNS options that DNSdist failed to filter, defeating the proxy's filtering policy.
Critical Impact
Crafted EDNS OPT records bypass DNSdist filtering rules, allowing attacker-controlled EDNS options to reach backend DNS servers when ECS rewriting is enabled.
Affected Products
- PowerDNS DNSdist (refer to the dnsdist Security Advisory for affected versions)
Discovery Timeline
- 2026-06-25 - CVE-2026-42004 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-42004
Vulnerability Analysis
DNSdist inspects EDNS OPT records to enforce filtering rules against specific EDNS options. The vulnerability arises when an attacker submits a query containing a malformed OPT record that DNSdist parses as unprocessable and ignores. DNSdist then proceeds to insert an EDNS Client Subnet option into the same OPT record. The insertion logic reconstructs the OPT record into a syntactically valid form, preserving the attacker-supplied option payloads. The backend DNS server, receiving a now-valid OPT record, processes every EDNS option present, including those the operator's filtering rules intended to strip.
The issue represents a parser differential between the filtering path and the rewriting path. The filter treats the input as invalid and skips it. The rewriter normalizes the same input into a valid record. This inconsistency converts a discarded structure into an authoritative one without re-applying policy.
Root Cause
The root cause is inconsistent handling of malformed EDNS OPT records between the filtering subsystem and the ECS insertion subsystem. Filtering logic should either reject queries containing unparseable OPT records or apply the same normalization used by the rewriter before evaluation. The absence of a unified parsing model creates a Protocol Vulnerability classified under DNS option handling.
Attack Vector
An unauthenticated remote attacker sends a DNS query with a crafted EDNS OPT record to a DNSdist instance configured to perform ECS insertion toward backend resolvers. No authentication or user interaction is required, though attack complexity is high because the deployment must use ECS rewriting. Successful exploitation delivers attacker-chosen EDNS options to the backend, which may influence backend behavior or downstream responses.
No verified public proof-of-concept code is available. See the dnsdist Security Advisory for technical specifics published by the vendor.
Detection Methods for CVE-2026-42004
Indicators of Compromise
- Inbound DNS queries containing OPT records with malformed option lengths or truncated option data targeting DNSdist frontends.
- Backend DNS query logs showing EDNS options that DNSdist policy is configured to strip or block.
- Unexpected discrepancies between DNSdist query logs and backend resolver logs regarding present EDNS options.
Detection Strategies
- Compare EDNS option sets observed at DNSdist ingress with those forwarded to backends to identify filtering bypass.
- Deploy DNS-aware network sensors that decode OPT records and alert on structurally invalid option encodings.
- Enable verbose DNSdist logging for EDNS handling and correlate with backend resolver query logs in a central data lake.
Monitoring Recommendations
- Monitor for repeated queries from single sources containing malformed OPT records, indicating probing or exploitation attempts.
- Track backend resolver telemetry for unusual ECS values, unknown EDNS option codes, or unexpected option ordering.
- Alert on configuration drift in DNSdist rule sets that govern OPT record filtering.
How to Mitigate CVE-2026-42004
Immediate Actions Required
- Apply the patched DNSdist release referenced in the dnsdist Security Advisory as soon as practical.
- Audit DNSdist configurations to identify instances performing ECS insertion toward backend resolvers.
- Restrict DNSdist exposure to trusted client networks where feasible until patching completes.
Patch Information
PowerDNS published a security advisory for DNSdist tracked as powerdns-advisory-for-dnsdist-2026-09. Operators should consult the official advisory for the fixed version numbers and upgrade instructions specific to their installed release.
Workarounds
- Disable EDNS Client Subnet insertion in DNSdist if the deployment does not require ECS forwarding to backends.
- Configure upstream network filtering or rate limiting for DNS clients submitting malformed EDNS option payloads.
- Place backend resolvers behind additional EDNS-aware validation that drops queries containing unexpected option codes.
# Example: disable ECS insertion on a DNSdist backend pool
# Review against your production configuration before applying
# setECSOverride(false)
# setECSSourcePrefixV4(0)
# setECSSourcePrefixV6(0)
# Refer to the official advisory for the recommended remediation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

