CoreDNS Denial-of-Service Vulnerability in Loop Detection Plugin

A denial-of-service vulnerability has been identified in CoreDNS versions prior to 1.14.2, specifically within the loop detection plugin. This vulnerability allows an attacker to crash the DNS server by sending specially crafted DNS queries. The issue arises from a predictable pseudo-random number generator used to create a secret query name, coupled with a fatal error handler that abruptly terminates the entire process. When the server receives multiple matching queries, it mistakenly assumes a forwarding loop exists and crashes the server.

Impact

Exploitation of this vulnerability causes the CoreDNS server to crash, disrupting all DNS resolution within the Kubernetes cluster. This failure can lead to cascading issues, as services rely on DNS for discovery. If the attack continues, CoreDNS may enter a crash-restart cycle, causing application-level failures across the cluster.

Reproduction

The vulnerability can be reproduced by sending HINFO queries with a qname that has been observed in the CoreDNS logs. This can be done during the loop plugin's self-test failure, which occurs when the upstream DNS server is unreachable. The attacker must have access to the logs to see the generated qname and can then send three HINFO queries with that name, causing the server to crash.

Remediation

Users can upgrade to CoreDNS version 1.14.2 or later, where this vulnerability has been patched.