Richard Gibson

**Name of the Vulnerable Software and Affected Versions** PowerDNS DNSDist versions prior to 1.3.3 **Description** The issue allows a remote attacker to craft a DNS query with trailing data, potentially smuggling it to the backend as a valid record. This occurs when PowerDNS DNSDist is used as a DNS Firewall and either the `useClientSubnet` or `addXPF` parameters are used. The issue can bypass filtering of records that should not be received by the backend. **Recommendations** For PowerDNS DNSDist versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of `useClientSubnet` or `addXPF` parameters when declaring a new backend until a patch is available. Restrict access to the backend to minimize the risk of exploitation.