📄 Description (English)
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QUIC streams and sends only 1 byte per stream. When the worker pool is full, CoreDNS still spawns a goroutine per accepted stream to wait for a worker token. Additionally, active workers block indefinitely in io.ReadFull() with no per-stream read deadline, allowing an attacker to pin all workers by sending a single byte so the read blocks waiting for the second byte of the DoQ length prefix. This enables an unauthenticated remote attacker to cause memory exhaustion and OOM-kill. This issue has been fixed in version 1.14.3. No known workarounds exist.
🤖 AI Executive Summary
CoreDNS versions prior to 1.14.3 are vulnerable to a denial-of-service attack via DNS-over-QUIC (DoQ) that allows unauthenticated remote attackers to exhaust memory and cause system crashes. An attacker can open multiple QUIC streams and send minimal data to trigger unbounded goroutine creation and memory growth, leading to out-of-memory conditions. This vulnerability is particularly critical for organizations running CoreDNS as their primary DNS infrastructure, with active exploits already available in the wild.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 14:26
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using CoreDNS as DNS infrastructure face critical risk, particularly: (1) Government entities and NCA-regulated organizations relying on CoreDNS for internal DNS services; (2) Telecom operators (STC, Mobily, Zain) using CoreDNS in their network infrastructure; (3) Banking sector institutions (SAMA-regulated) with CoreDNS deployments for DNS resolution; (4) Energy sector (ARAMCO, SEC) with critical infrastructure DNS services; (5) Healthcare providers using CoreDNS for network services. The vulnerability enables complete denial of service with no authentication required, making it a critical threat to business continuity across all sectors.
🏢 Affected Saudi Sectors
Government
Banking
Telecommunications
Energy
Healthcare
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all CoreDNS instances in your environment and document their versions using: coredns -version
2. Disable DNS-over-QUIC (DoQ) protocol immediately if not essential: remove 'quic' plugin from Corefile configuration
3. Implement network-level rate limiting on DNS queries (port 53 UDP/TCP and QUIC port 853) using firewall rules
4. Monitor memory usage and goroutine count on CoreDNS instances using: curl localhost:6379/metrics | grep goroutine
PATCHING GUIDANCE:
1. Upgrade CoreDNS to version 1.14.3 or later immediately
2. For deployment via Kubernetes: update CoreDNS image to coredns:1.14.3 or later in kube-system namespace
3. Test in non-production environment first to ensure DNS resolution stability
4. Plan maintenance window for production upgrades with DNS failover capability
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement connection limits per source IP using iptables or cloud WAF
2. Deploy reverse proxy (nginx/HAProxy) in front of CoreDNS with connection pooling and timeouts
3. Set read timeouts at OS level: sysctl -w net.ipv4.tcp_fin_timeout=30
4. Use resource limits in container/VM: memory limit to prevent OOM-kill cascade
5. Implement DNS query rate limiting per client IP (max 100 queries/second)
DETECTION RULES:
1. Alert on goroutine count exceeding baseline by >50%: prometheus query 'go_goroutines > baseline_value'
2. Monitor for multiple QUIC connections from single source IP with minimal data transfer
3. Alert on CoreDNS memory usage exceeding 80% of allocated limit
4. Log and alert on QUIC stream errors and connection resets
5. Implement IDS signature for DoQ protocol anomalies (incomplete length prefix patterns)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات CoreDNS في بيئتك وتوثيق إصداراتها باستخدام: coredns -version
2. عطّل بروتوكول DNS-over-QUIC (DoQ) فوراً إذا لم يكن ضرورياً: أزل مكون 'quic' من ملف Corefile
3. طبّق تحديد معدل على مستوى الشبكة لاستعلامات DNS (المنفذ 53 UDP/TCP ومنفذ QUIC 853) باستخدام قواعد جدار الحماية
4. راقب استخدام الذاكرة وعدد goroutine على مثيلات CoreDNS باستخدام: curl localhost:6379/metrics | grep goroutine
إرشادات التصحيح:
1. ترقية CoreDNS إلى الإصدار 1.14.3 أو أحدث فوراً
2. للنشر عبر Kubernetes: حدّث صورة CoreDNS إلى coredns:1.14.3 أو أحدث في مساحة الاسم kube-system
3. اختبر في بيئة غير الإنتاج أولاً للتأكد من استقرار دقة DNS
4. خطط نافذة صيانة للترقيات الإنتاجية مع قدرة المحاولة الاحتياطية لـ DNS
الضوابط التعويضية:
1. طبّق حدود الاتصال لكل عنوان IP مصدر باستخدام iptables أو cloud WAF
2. نشر وكيل عكسي (nginx/HAProxy) أمام CoreDNS مع تجميع الاتصالات والمهل الزمنية
3. عيّن مهل زمنية القراءة على مستوى نظام التشغيل: sysctl -w net.ipv4.tcp_fin_timeout=30
4. استخدم حدود الموارد في الحاوية/VM: حد الذاكرة لمنع تسلسل OOM-kill
5. طبّق تحديد معدل استعلام DNS لكل عنوان IP عميل (الحد الأقصى 100 استعلام/ثانية)
قواعد الكشف:
1. تنبيه عند تجاوز عدد goroutine للخط الأساسي بنسبة >50%: prometheus query 'go_goroutines > baseline_value'
2. راقب اتصالات QUIC المتعددة من عنوان IP مصدر واحد مع نقل بيانات قليل
3. تنبيه عند تجاوز استخدام ذاكرة CoreDNS 80% من الحد المخصص
4. سجل وتنبيه على أخطاء تدفق QUIC وإعادة تعيين الاتصال
5. طبّق توقيع IDS لشذوذ بروتوكول DoQ (أنماط بادئة الطول غير المكتملة)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Monitoring and testing of information systems
ECC 2024 A.13.1.3 - Segregation of networks
ECC 2024 A.14.2.1 - Secure development policy
🔵 SAMA CSF
SAMA CSF ID.BE-5 - Organizational resilience objectives
SAMA CSF PR.DS-6 - Data is protected from unauthorized access
SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events
SAMA CSF RS.MI-1 - Incidents are contained
🟡 ISO 27001:2022
ISO 27001:2022 A.12.2.1 - Change management
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.8.1.1 - Inventory of assets
ISO 27001:2022 A.5.23 - Information security for supplier relationships
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 11.2 - Vulnerability scanning
PCI DSS 12.2 - Configuration standards
🔗 References & Sources 3
🔗
https://github.com/coredns/coredns/releases/tag/v1.14.3
security-advisories@github.com
Release Notes
🔗
https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/coredns/coredns/security/advisories/GHSA-2wpx-qpw2-g5h5
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
coredns.io:coredns