CoreDNS Denial-of-Service Vulnerability in DNS-over-QUIC Server Implementation

A denial-of-service vulnerability has been identified in the CoreDNS DNS-over-QUIC (DoQ) server implementation, affecting versions prior to 1.21.2. The vulnerability arises because the server creates a new goroutine for each incoming QUIC stream without limiting the number of concurrent streams or goroutines. This allows a remote, unauthenticated attacker to open many streams, causing uncontrolled memory consumption and leading to an out-of-memory crash, particularly in containerized or memory-constrained environments. The issue occurs when QUIC support is enabled in the Corefile.

Impact

Exploitation of this vulnerability can cause a high loss of availability, either by terminating the CoreDNS process or making it unresponsive.

Reproduction

To reproduce this vulnerability, enable QUIC support in the CoreDNS configuration by adding a 'quic://' block in the Corefile. Once QUIC is enabled, a remote attacker can open multiple QUIC streams, which will be processed in parallel, leading to increased memory usage. This can be done using a custom tool or script that establishes QUIC connections to the server and opens numerous streams, simulating an attack.

Remediation

Users can upgrade to CoreDNS version 1.21.2 or later, where this vulnerability is patched. The patch introduces two key mitigation mechanisms: 'max_streams', which caps the number of concurrent QUIC streams per connection, and 'worker_pool_size', which creates a server-wide, bounded worker pool to process incoming streams. For those unable to upgrade, QUIC support can be disabled by removing or commenting out the 'quic://' block in the Corefile. Alternatively, monitor QUIC connection patterns and alert on anomalies.