📄 Description (English)
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decoding, and DNS message unpacking before rejecting the request. Unlike the POST path, which applies a bounded read via http.MaxBytesReader limited to 65536 bytes, the GET path has no equivalent size validation before expensive processing. A remote, unauthenticated attacker can repeatedly send oversized DoH GET requests to force high CPU usage, large transient memory allocations, and elevated garbage-collection pressure, leading to denial of service. This issue has been fixed in version 1.14.3.
🤖 AI Executive Summary
CoreDNS versions prior to 1.14.3 are vulnerable to a Denial of Service attack through DNS-over-HTTPS (DoH) GET requests with oversized query parameters. An unauthenticated attacker can exploit the lack of input size validation to cause excessive CPU consumption, memory allocation, and garbage collection pressure, rendering DNS services unavailable. This vulnerability is particularly critical for organizations relying on CoreDNS for internal or public DNS resolution, as it requires no authentication and can be exploited remotely.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 14:27
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations across multiple critical sectors face significant risk: (1) Banking & Financial Services (SAMA-regulated entities, payment processors) — DNS unavailability disrupts transaction processing and customer access; (2) Government & Critical Infrastructure (NCA oversight) — impacts e-government services, citizen portals, and inter-agency communications; (3) Telecommunications (STC, Mobily, Zain) — DNS is foundational to network operations and customer-facing services; (4) Energy Sector (Saudi Aramco, SAEC) — DNS outages affect operational technology networks and remote monitoring; (5) Healthcare (MOH facilities) — disrupts patient record systems and telemedicine platforms. The attack requires no authentication and can originate from anywhere globally, making it a high-probability threat vector for Saudi infrastructure.
🏢 Affected Saudi Sectors
Banking & Financial Services
Government & Public Administration
Telecommunications
Energy & Utilities
Healthcare
Critical Infrastructure
E-Commerce
Education
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all CoreDNS deployments in your environment (check version: coredns -version)
2. Prioritize systems exposed to untrusted networks (public-facing, internet-connected)
3. Implement network-level rate limiting on DoH GET requests (limit to <1000 requests/second per source IP)
4. Enable request size validation at reverse proxy/load balancer level (reject GET requests >4KB)
PATCHING:
1. Upgrade CoreDNS to version 1.14.3 or later immediately
2. For air-gapped environments unable to patch immediately, apply compensating controls
3. Test patches in non-production environments first
COMPENSATING CONTROLS (if patching delayed):
1. Deploy WAF/reverse proxy rules to reject DoH GET requests with dns= parameters >4096 bytes
2. Implement connection-level rate limiting (max 100 concurrent connections per source IP)
3. Configure resource limits: set ulimit -n 65536, enable cgroup memory limits (512MB per CoreDNS process)
4. Monitor CPU and memory metrics; alert on sustained >80% CPU usage
5. Disable DoH GET support if not required; use POST-only mode
DETECTION RULES:
1. Monitor HTTP GET requests to /dns-query with dns= parameter size >4KB
2. Alert on sustained high CPU usage (>80%) correlated with DoH traffic spikes
3. Track memory allocation patterns; flag rapid growth in transient allocations
4. Log and alert on requests from single source IP exceeding 1000 requests/minute
5. Monitor garbage collection frequency; alert if GC pause time >100ms sustained
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نشرات CoreDNS في بيئتك (تحقق من الإصدار: coredns -version)
2. أولويات الأنظمة المكشوفة للشبكات غير الموثوقة (العامة، المتصلة بالإنترنت)
3. تطبيق تحديد معدل على مستوى الشبكة لطلبات DoH GET (حد أقصى <1000 طلب/ثانية لكل عنوان IP)
4. تفعيل التحقق من حجم الطلب على مستوى الوكيل العكسي/موازن التحميل (رفض طلبات GET >4KB)
التصحيح:
1. ترقية CoreDNS إلى الإصدار 1.14.3 أو أحدث فوراً
2. للبيئات المعزولة غير القادرة على التصحيح فوراً، تطبيق الضوابط البديلة
3. اختبار التصحيحات في بيئات غير الإنتاج أولاً
الضوابط البديلة (إذا تأخر التصحيح):
1. نشر قواعد WAF/الوكيل العكسي لرفض طلبات DoH GET بمعاملات dns= >4096 بايت
2. تطبيق تحديد معدل على مستوى الاتصال (حد أقصى 100 اتصال متزامن لكل عنوان IP)
3. تكوين حدود الموارد: تعيين ulimit -n 65536، تفعيل حدود ذاكرة cgroup (512MB لكل عملية CoreDNS)
4. مراقبة مقاييس CPU والذاكرة؛ تنبيه عند استخدام مستدام >80%
5. تعطيل دعم DoH GET إذا لم يكن مطلوباً؛ استخدام وضع POST فقط
قواعد الكشف:
1. مراقبة طلبات HTTP GET إلى /dns-query بحجم معامل dns= >4KB
2. تنبيه عند استخدام CPU مستدام >80% مرتبط بارتفاعات حركة DoH
3. تتبع أنماط تخصيص الذاكرة؛ علم النمو السريع في التخصيصات المؤقتة
4. تسجيل والتنبيه على الطلبات من عنوان IP واحد يتجاوز 1000 طلب/دقيقة
5. مراقبة تكرار جمع القمامة؛ تنبيه إذا كان وقت توقف GC >100ms مستدام
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 — Management of technical vulnerabilities (patch management)
ECC 2024 A.8.2.1 — User registration and access management (DoS prevention)
ECC 2024 A.12.3.1 — Segregation of networks (network-level rate limiting)
ECC 2024 A.12.1.2 — Monitoring and logging of access (DoH traffic monitoring)
🔵 SAMA CSF
SAMA CSF ID.BE-1 — Business Environment (service availability)
SAMA CSF PR.AC-1 — Access Control (authentication/authorization for DNS)
SAMA CSF PR.DS-1 — Data Security (DNS data integrity)
SAMA CSF DE.CM-1 — Detection & Analysis (anomaly detection for DoS)
SAMA CSF RS.MI-1 — Response & Recovery (incident mitigation)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 — Information security for supplier relationships (patch management)
ISO 27001:2022 A.8.1 — User endpoint devices (resource limits)
ISO 27001:2022 A.8.2 — Privileged access rights (DoH access control)
ISO 27001:2022 A.12.2 — Supply chain security (CoreDNS version control)
ISO 27001:2022 A.12.6 — Management of technical vulnerabilities (CVE tracking)
🟣 PCI DSS v4.0.1
PCI DSS 6.2 — Security patches for system components (CoreDNS patching)
PCI DSS 11.2 — Vulnerability scanning (identify CoreDNS versions)
PCI DSS 12.2 — Configuration standards (DoH security settings)
🔗 References & Sources 3
🔗
https://github.com/coredns/coredns/releases/tag/v1.14.3
security-advisories@github.com
Release Notes
🔗
https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/coredns/coredns/security/advisories/GHSA-63cw-r7xf-jmwr
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 1 entries
coredns.io:coredns