The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.
PowerDNS versions 2.9.16 and earlier are vulnerable to a denial-of-service (DoS) attack due to a flaw in how they handle compressed DNS packets. Attackers can exploit this vulnerability by sending a specially crafted DNS packet that triggers an infinite loop, causing the DNS server to become unresponsive and disrupting network services. This vulnerability is relatively old, but could still be a problem if legacy systems are in use.
Step 1: Payload Delivery: An attacker crafts a malicious DNS packet. This packet utilizes DNS compression, a feature designed to reduce packet size by referencing previously defined labels within the packet. The attacker specifically targets the compression mechanism.
Step 2: Malformed Compression: The attacker includes a compressed label with an invalid offset. This offset points to a location within the packet that is either outside the packet's bounds or to a location that, when dereferenced, leads back to the same offset, creating a loop.
Step 3: Server Processing: The vulnerable PowerDNS server receives the malicious packet and begins to process it. The server attempts to decompress the DNS packet, following the offset pointers.
Step 4: Infinite Loop: Due to the invalid offset, the decompression process enters an infinite loop. The server repeatedly attempts to read from the same invalid location, never successfully resolving the DNS query.
Step 5: Denial of Service: The server consumes CPU resources and becomes unresponsive, unable to process legitimate DNS requests. This results in a denial of service for any clients relying on that DNS server.
The vulnerability lies in the DNS implementation's handling of compressed DNS packets. Specifically, the code fails to properly validate the offset value within a compressed label. When a malformed packet with an invalid offset is received, the server enters an infinite loop while attempting to resolve the DNS query. This is because the offset points to an invalid location within the packet, causing the server to repeatedly read from the same location, never reaching an end condition. The root cause is a lack of bounds checking on the offset value used when decompressing the DNS packet. This leads to a logic error that allows an attacker to craft a packet that triggers an infinite loop, effectively causing a denial-of-service (DoS).