For Security Advisories, see the dedicated page.
If you have a security problem to report, please email us at both peter.van.dijk@powerdns.com and remi.gacogne@powerdns.com. In case you want to encrypt your report using PGP, please use: https://doc.powerdns.com/powerdns-keyblock.asc
Please do not mail security issues to public lists, nor file a ticket, unless we do not get back to you in a timely manner. We fully credit reporters of security issues, and respond quickly, but please allow us a reasonable timeframe to coordinate a response.
We remind PowerDNS and dnsdist users that under the terms of the GNU General Public License, PowerDNS and dnsdist come with ABSOLUTELY NO WARRANTY. This license is included in this documentation.
If you believe you have found a security vulnerability that applies to DNS implementations generally, and you want to report this responsibly to a number of implementers, you might consider also using the Open Source DNS Vulnerability mailing list, managed by DNS-OARC.
Security issues can also be reported on our YesWeHack page and might fetch a bounty. Do note that only the PowerDNS software is in scope for the YesWeHack program, not our websites or other infrastructure.
The PowerDNS Recursor uses a fresh UDP source port for each outgoing query, making spoofing around 64000 times harder.
This raises the bar from ‘easily doable given some time’ to ‘very hard’.
Under some circumstances, ‘some time’ has been measured at 2 seconds.
This technique was first used by dnscache by Dan J. Bernstein and is standardized in RFC 5452
In addition, PowerDNS detects when it is being sent too many unexpected answers, and mistrusts a proper answer if found within a clutch of unexpected ones.
This behaviour can be tuned using the spoof-nearmiss-max.
PowerDNS implements a very simple but effective nameserver. Care has been taken not to overload remote servers in case of overly active clients.
This is implemented using the ‘throttle’. This accounts all recent traffic and prevents queries that have been sent out recently from going out again.
There are three levels of throttling.
PowerDNS products can poll the security status of their respective versions. This polling, naturally, happens over DNS. If the result is that a given version has a security problem, the software will report this at level ‘Error’ during startup, and repeatedly during operations.
By default, security polling happens on the domain ‘secpoll.powerdns.com’, but this can be changed with the security-poll-suffix. If this setting is made empty, no polling will take place. Organizations wanting to host their own security zones can do so by changing this setting to a domain name under their control.
To make this easier, the zone used to host secpoll.powerdns.com is available.
To enable distributors of PowerDNS to signal that they have backported versions, the PACKAGEVERSION compilation-time macro can be used to set a distributor suffix.
PowerDNS software sadly sometimes has critical security bugs. Even though we send out notifications of these via all channels available, we find that not everybody actually find out about our security releases.
To solve this, PowerDNS software will start polling for security notifications, and log these periodically. Secondly, the security status of the software will be reported using the built-in metrics. This allows operators to poll for the PowerDNS security status and alert on it.
In the implementation of this idea, we have taken the unique role of operating system distributors into account. Specifically, we can deal with backported security fixes.
Finally, this feature can be disabled, or operators can have the automated queries point at their own status service.
PowerDNS software periodically tries to resolve ‘auth-x.y.z.security-status.secpoll.powerdns.com|TXT’ or ‘recursor-x.y.z.security-status.secpoll.powerdns.com’.
The data returned is in one of the following forms:
In cases 2 or 3, periodic logging commences. Case 2 can also be issued for non-security related upgrade recommendations for pre-releases. The metric security-status is set to 2 or 3 respectively. If at a later date, resolution fails, the security-status is not reset to 1. It could be lowered however if we discover the security status is less urgent than we thought.
If resolution fails, and the previous security-status was 1, the new security-status becomes 0 (‘no data’). If the security-status was greater than 1, it will remain that way, and not get set to 0.
In this way, security-status of 0 really means ‘no data’, and cannot mask a known problem.
Distributions frequently backport security fixes to the PowerDNS versions they ship. This might lead to a version number that is known to us to be insecure to be secure in reality.
To solve this issue, PowerDNS can be compiled with a distribution setting which will move the security polls from: ‘auth-x.y.z.security-status.secpoll.powerdns.com’ to ‘auth-x.y.z-n.debian.security-status.secpoll.powerdns.com.
Note two things, one, there is a separate namespace for debian, and secondly, we use the package version of this release. This allows us to know that 4.0.1-1 (say) is insecure, but that 4.0.1-2 is not.
The configuration setting security-poll-suffix is by default set to ‘secpoll.powerdns.com’. If empty, nothing is polled. This can be moved to ‘secpoll.yourorganization.com’.
If compiled with PACKAGEVERSION=3.1.6-abcde.debian, queries will be sent to “auth-3.1.6-abcde.debian.security-status.security-poll-suffix”.
If a distribution wants to host its own file with version information, we can delegate dist.security-status.secpoll.powerdns.com to their nameservers directly.