CoreDNS ACL Bypass Vulnerability Allowing Unauthorized Service Discovery

A logical vulnerability in CoreDNS prior to version 1.14.2 allows DNS access controls to be bypassed. This issue arises from the default execution order of plugins, where security plugins like ACL are processed before the rewrite plugin. This creates a Time-of-Check Time-of-Use (TOCTOU) flaw, particularly impacting multi-tenant Kubernetes clusters by undermining DNS-based segmentation strategies.

Impact

Exploitation of this vulnerability allows unauthorized access to internal services in Kubernetes, bypassing DNS-based access controls and enabling reconnaissance of restricted infrastructure.

Remediation

Users are advised to upgrade to CoreDNS version 1.14.2 or later. In addition, the default plugin configuration should be reordered to ensure that rewrite and other normalization plugins are processed before ACL, OPA, and firewall plugins. All access control checks should be applied after name normalization.