In systemd 223 through 235, a remote DNS server can respond with a custom crafted DNS NSEC resource record to trigger an infinite loop in the dns_packet_read_type_window() function of the 'systemd-resolved' service and cause a DoS of the affected service.
https://usn.ubuntu.com/3558-1/
https://github.com/systemd/systemd/pull/7184
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351