CVE-2020-10995

Name	CVE-2020-10995
Description	PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. An issue in the DNS protocol has been found that allow malicious parties to use recursive DNS services to attack third party authoritative name servers. The attack uses a crafted reply by an authoritative name server to amplify the resulting traffic between the recursive and other authoritative name servers. Both types of service can suffer degraded performance as an effect. This is triggered by random subdomains in the NSDNAME in NS records. PowerDNS Recursor 4.1.16, 4.2.2 and 4.3.1 contain a mitigation to limit the impact of this DNS protocol issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-4691-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pdns-recursor (PTS)	buster, buster (security)	4.1.11-1+deb10u1	fixed
	bullseye	4.4.2-3	fixed
	bookworm	4.8.4-1	fixed
	bookworm (security)	4.8.7-1	fixed
	trixie	4.9.3-1	fixed
	sid	4.9.4-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
pdns-recursor	source	jessie	(not affected)
pdns-recursor	source	buster	4.1.11-1+deb10u1	DSA-4691-1
pdns-recursor	source	(unstable)	4.3.1-1

Notes

[jessie] - pdns-recursor <not-affected> (Vulnerable code added later)
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
https://www.openwall.com/lists/oss-security/2020/05/19/3