CoreDNS Denial-of-Service Vulnerability via Oversized DNS-over-HTTPS GET Requests

A denial-of-service vulnerability has been identified in CoreDNS versions prior to 1.14.3. The issue arises in the DNS-over-HTTPS (DoH) GET path, which accepts oversized 'dns=' query parameter values. Unlike the POST path, which includes a size limit, the GET path lacks proper validation before processing these oversized requests. This oversight allows remote, unauthenticated attackers to send large DoH GET requests, causing excessive CPU usage, significant memory allocations, increased garbage collection, and higher peak memory consumption. Although the server ultimately rejects these requests with a '400 Bad Request' response, the costly processing has already taken place, leading to a denial-of-service condition, particularly in memory-constrained or heavily loaded environments.

Impact

Exploitation of this vulnerability causes elevated CPU usage, large temporary memory allocations, increased garbage collection pressure, and higher peak resident memory usage. This degradation in performance and responsiveness can create a denial-of-service risk, especially in deployments with limited memory or high traffic.

Reproduction

The vulnerability can be reproduced by sending oversized DNS-over-HTTPS GET requests to the CoreDNS server. This can be done using a proof-of-concept script that encodes a large payload into the 'dns=' query parameter, effectively bypassing the server's request validation and causing significant resource consumption before the request is eventually rejected.

Remediation

Users can upgrade to CoreDNS version 1.14.3 or later, where this vulnerability has been fixed.