Impact
The vulnerability arises when DNSdist incorrectly handles EDNS OPT records. An attacker can send a crafted OPT record that is initially ignored by DNSdist’s filtering logic but is rewritten as a valid OPT record when the server appends an EDNS Client Subnet option. The rewritten OPT record is then forwarded to the backend DNS server, bypassing upstream filtering. This behavior corresponds to CWE‑115, which describes inconsistent protocol logic.
Affected Systems
The flaw impacts all installations of PowerDNS DNSdist that rely on the default OPT filtering and EDNS Client Subnet handling, regardless of version. Any instance that forwards queries to a backend DNS server without custom filtering is susceptible.
Risk and Exploitability
The CVSS score is 3.7, indicating low overall severity. No EPSS data is available and the flaw is not listed in CISA’s KEV catalog. Exploitation requires only the ability to send a crafted DNS query to a reachable DNSdist instance; no special privileges or authentication are needed. Because the underlying weakness is a logic error in handling EDNS options (CWE‑115), an attacker could cause the backend to receive options that were intended to be suppressed, potentially enabling side‑channel data leakage or other unintended processing.
OpenCVE Enrichment
Debian DSA