CVE-2025-30192 is a high-severity vulnerability affecting the PowerDNS Recursor, a widely used DNS resolver software. The vulnerability stems from insufficient verification of data authenticity (CWE-345) specifically related to EDNS Client Subnet (ECS) enabled queries. ECS is a DNS extension that allows recursive resolvers to include part of the client's IP address in queries to authoritative servers, enabling geographically optimized responses. However, this feature also introduces complexity and potential attack vectors. In this case, an attacker can spoof DNS answers to ECS-enabled requests with a higher success probability than for non-ECS queries. This spoofing could lead to denial of service or manipulation of DNS responses, impacting availability. The vulnerability does not affect confidentiality or integrity directly but can cause significant disruption by providing incorrect DNS responses or causing service outages. The PowerDNS team has introduced mitigations in updated versions, including chaining ECS-enabled requests and enforcing stricter validation of received answers. The most stringent mitigation is available via the configuration setting outgoing.edns_subnet_harden (previously edns-subnet-harden), which hardens the validation process for ECS queries, reducing the risk of spoofing. The CVSS 3.1 score is 7.5 (high), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and an impact limited to availability. No known exploits are currently reported in the wild, but the vulnerability's nature and severity warrant prompt attention.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on PowerDNS Recursor for DNS resolution in critical infrastructure, enterprise networks, or service provider environments. Spoofed DNS responses can lead to denial of service conditions, disrupting access to internal and external resources, potentially affecting business continuity. Although confidentiality and integrity are not directly compromised, availability degradation can cause operational downtime, impacting sectors such as finance, healthcare, telecommunications, and government services. Additionally, DNS is a foundational service; disruptions can cascade to other dependent applications and services. The increased spoofing success rate for ECS-enabled queries is particularly concerning for organizations leveraging ECS for geo-aware DNS routing, common in content delivery networks and cloud services prevalent in Europe. Given the high reliance on DNS and the critical role of PowerDNS in many European networks, this vulnerability poses a tangible risk to service reliability and trustworthiness.

European organizations should implement the following specific mitigations: 1) Upgrade PowerDNS Recursor to the latest version that includes the ECS spoofing mitigations. Even though no patch links are provided, monitoring official PowerDNS channels for updates is critical. 2) Enable the outgoing.edns_subnet_harden setting to enforce the strictest validation of ECS-enabled queries, significantly reducing spoofing risk. 3) Review and audit DNS resolver configurations to ensure ECS is enabled only where necessary, minimizing the attack surface. 4) Implement network-level protections such as DNS response validation, DNSSEC validation where applicable, and rate limiting to detect and mitigate spoofed or anomalous DNS traffic. 5) Monitor DNS traffic logs for unusual patterns indicative of spoofing attempts or DNS anomalies. 6) Coordinate with upstream DNS providers and peers to ensure consistent ECS handling and validation. 7) Prepare incident response plans specific to DNS service disruptions to minimize downtime in case of exploitation. These measures go beyond generic advice by focusing on ECS-specific configurations and operational monitoring tailored to this vulnerability.