CVE-2018-14663

Name of the Vulnerable Software and Affected Versions PowerDNS DNSDist versions prior to 1.3.3

Description The issue allows a remote attacker to craft a DNS query with trailing data, potentially smuggling it to the backend as a valid record. This occurs when PowerDNS DNSDist is used as a DNS Firewall and either the useClientSubnet or addXPF parameters are used. The issue can bypass filtering of records that should not be received by the backend.

Recommendations For PowerDNS DNSDist versions prior to 1.3.3, update to version 1.3.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of useClientSubnet or addXPF parameters when declaring a new backend until a patch is available. Restrict access to the backend to minimize the risk of exploitation.