📄 Description (English)
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The longestMatch() function in plugin/transfer/transfer.go uses a lexicographic string comparison instead of an actual longest-suffix match to select the winning zone. As a result, a permissive parent-zone transfer rule can override a restrictive subzone rule depending on zone name ordering (e.g., "example.org." > "a.example.org." lexicographically). This allows an unauthorized remote client to perform AXFR/IXFR for the subzone and retrieve its full zone contents. This issue has been fixed in version 1.14.3.
🤖 AI Executive Summary
CoreDNS versions prior to 1.14.3 contain a critical ACL bypass vulnerability in the transfer plugin due to incorrect zone matching logic. An attacker can exploit lexicographic string comparison instead of proper longest-suffix matching to bypass restrictive DNS zone transfer rules, allowing unauthorized AXFR/IXFR requests to retrieve complete zone contents. This vulnerability is actively exploitable and affects organizations using CoreDNS for DNS infrastructure.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 14:27
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations operating CoreDNS infrastructure, particularly: (1) ARAMCO and energy sector operators managing critical DNS infrastructure for SCADA/ICS systems; (2) SAMA-regulated financial institutions using CoreDNS for internal DNS services; (3) Government entities (NCA, CITC) managing national DNS infrastructure; (4) Telecom providers (STC, Mobily, Zain) operating DNS services; (5) Healthcare organizations using CoreDNS for medical record systems. Unauthorized zone transfers could expose sensitive DNS records, internal network topology, and facilitate further attacks on critical infrastructure.
🏢 Affected Saudi Sectors
Energy (ARAMCO, oil/gas operators)
Banking (SAMA-regulated institutions)
Government (NCA, CITC, federal agencies)
Telecommunications (STC, Mobily, Zain)
Healthcare (hospitals, medical centers)
Critical Infrastructure (water, power utilities)
🎯 MITRE ATT&CK Techniques
T1040 - Traffic Capture or Redirection (DNS zone transfer interception)
T1557 - Man-in-the-Middle (DNS spoofing via zone information)
T1590 - Gather Victim Network Information (zone enumeration)
T1526 - Scan IP Blocks (DNS reconnaissance)
T1087 - Account Discovery (via DNS zone contents)
T1580 - Cloud Infrastructure Discovery (DNS topology mapping)
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all CoreDNS instances in your environment and verify versions (check 'coredns -version')
2. Disable the transfer plugin if not required: remove 'transfer' from Corefile configuration
3. If transfer plugin is required, implement network-level ACLs to restrict zone transfer requests to authorized IPs only
4. Monitor DNS query logs for suspicious AXFR/IXFR requests from unauthorized sources
PATCHING:
1. Upgrade CoreDNS to version 1.14.3 or later immediately
2. Test in non-production environment first
3. Implement rolling restart to minimize DNS service disruption
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement firewall rules to block port 53 TCP (zone transfers) from untrusted networks
2. Use network segmentation to restrict zone transfer access to authorized secondary DNS servers only
3. Configure CoreDNS with explicit deny rules for all zones before permissive parent zone rules
4. Enable DNS query logging and implement SIEM alerts for AXFR/IXFR attempts
DETECTION:
1. Search DNS logs for AXFR/IXFR query types (OpCode 5)
2. Alert on zone transfer requests from IPs outside authorized secondary DNS server list
3. Monitor CoreDNS error logs for ACL-related warnings
4. Implement IDS signatures for DNS zone transfer anomalies
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات CoreDNS في بيئتك والتحقق من الإصدارات (تحقق من 'coredns -version')
2. عطّل مكون النقل إذا لم يكن مطلوباً: أزل 'transfer' من تكوين Corefile
3. إذا كان مكون النقل مطلوباً، قم بتنفيذ قوائم التحكم بالوصول على مستوى الشبكة لتقييد طلبات نقل المناطق إلى عناوين IP المصرح بها فقط
4. راقب سجلات استعلامات DNS للطلبات المريبة AXFR/IXFR من مصادر غير مصرح بها
التصحيح:
1. قم بترقية CoreDNS إلى الإصدار 1.14.3 أو أحدث على الفور
2. اختبر في بيئة غير الإنتاج أولاً
3. قم بتنفيذ إعادة تشغيل متدرجة لتقليل انقطاع خدمة DNS
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. قم بتنفيذ قواعد جدار الحماية لحظر منفذ 53 TCP (نقل المناطق) من الشبكات غير الموثوقة
2. استخدم تقسيم الشبكة لتقييد وصول نقل المناطق إلى خوادم DNS الثانوية المصرح بها فقط
3. قم بتكوين CoreDNS بقواعد رفض صريحة لجميع المناطق قبل قواعد المنطقة الأب المتساهلة
4. قم بتمكين تسجيل استعلامات DNS وتنفيذ تنبيهات SIEM لمحاولات AXFR/IXFR
الكشف:
1. ابحث في سجلات DNS عن أنواع استعلامات AXFR/IXFR (OpCode 5)
2. تنبيه على طلبات نقل المناطق من عناوين IP خارج قائمة خوادم DNS الثانوية المصرح بها
3. راقب سجلات أخطاء CoreDNS للتحذيرات المتعلقة بقائمة التحكم بالوصول
4. قم بتنفيذ توقيعات IDS لشذوذ نقل مناطق DNS
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (ACL bypass violates access control principles)
ECC 2024 A.5.2.1 - User Registration and De-registration (unauthorized access to DNS zones)
ECC 2024 A.8.1.1 - Information Security Perimeter (DNS infrastructure protection)
ECC 2024 A.12.4.1 - Event Logging (DNS query logging and monitoring)
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Asset Management (identify and manage CoreDNS instances)
SAMA CSF PR.AC-1 - Access Control (enforce proper ACL matching)
SAMA CSF PR.AC-3 - Access Enforcement (restrict zone transfers)
SAMA CSF DE.AE-1 - Anomalies and Events (detect unauthorized zone transfers)
SAMA CSF DE.CM-1 - Detection and Analysis (monitor DNS logs)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties (DNS access control)
ISO 27001:2022 A.8.1 - User Endpoint Devices (DNS client security)
ISO 27001:2022 A.8.2 - Privileged Access Rights (zone transfer authorization)
ISO 27001:2022 A.8.3 - Information Access Restriction (zone content protection)
ISO 27001:2022 A.12.4 - Logging (DNS transaction logging)
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall Configuration Standards (restrict zone transfers)
PCI DSS 2.2.4 - Configure System Security Parameters (CoreDNS hardening)
PCI DSS 6.2 - Security Patches (apply CoreDNS 1.14.3 update)
PCI DSS 10.2 - Implement Automated Audit Trails (DNS query logging)
🔗 References & Sources 3
🔗
https://github.com/coredns/coredns/releases/tag/v1.14.3
security-advisories@github.com
Release Notes
🔗
https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/coredns/coredns/security/advisories/GHSA-h8mm-c463-wjq3
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
coredns.io:coredns