PowerDNS has released an update to its high performance DNS server software, which addresses several critical vulnerabilities that could be exploited to redirect traffic for a domain name or trigger a denial of service condition. Network administrators are advised to upgrade the PowerDNS Recursor to version 3.1.7.2.

The PowerDNS software, even if not as popular as BIND or other, is still used by large companies such as Wikimedia (Wikipedia), as well as NICs, ISPs and domain registrars like AOL, Shaw Cable, Register.com, Tucows or 1&1. In total, it is estimated that 8 to 10 million DNS zones are managed using PowerDNS.

The most severe vulnerability addressed by the 3.1.7.2 update is identified as CVE-2009-4009. "Using specially crafted packets, it is possible to force a buffer overflow in the PowerDNS Recursor, leading to a crash," the developers explain. A workaround for this flaw involves using "allow-from" to restrict the users being serviced. Running the software from an account with restricted privileges can also reduce the risk of full system compromise.

Another vulnerability with a "high" severity rating can be exploited to divert traffic for a domain name to an arbitrary IP address. "Using specially crafted zones, it is possible to fool the PowerDNS Recursor into accepting bogus data," the corresponding PowerDNS advisory warns. The vulnerability is identified as CVE-2009-4010 and there is no known workaround for it, except for upgrading.

Unnamed third parties are credited with the discovery of both vulnerabilities. They were "discovered by a third party that (for now) prefers not to be named. PowerDNS is very grateful however for their help in improving PowerDNS security," the developers note.

The Domain Name System (DNS) is one of the backbones of the Internet, as it handles the conversion of domain names to IP addresses. Problems with DNS servers can impact a large number of users. For example, back in October, a missing "." (dot) in the domain name zone for .se rendered almost 905,000 domain names with this TLD inaccessible for almost two hours.