CoreDNS TSIG Authentication Bypass Vulnerability in DoT, DoH, DoH3, DoQ, and gRPC Transports

A vulnerability in CoreDNS versions prior to 1.14.3 allows for TSIG authentication bypass on non-plain-DNS transports, including DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over HTTPS version 3 (DoH3), DNS over QUIC (DoQ), and gRPC. The issue arises because the TSIG plugin relies on the transport writer's TsigStatus() for validation, rather than performing its own verification. This flaw enables an unauthenticated remote client to bypass TSIG-based authentication and access resources meant to be restricted under a 'tsig require all' policy. The vulnerability does not affect plain DNS over TCP or UDP.

Impact

Exploitation of this vulnerability allows unauthenticated remote clients to bypass TSIG-based authentication and authorization on encrypted transports, gaining access to resources that were intended to be restricted, such as zone data or privileged queries.

Reproduction

The vulnerability can be reproduced by sending an invalid TSIG signature over an affected transport, such as DoT or DoH. CoreDNS will accept the request, bypassing the TSIG authentication, while plain DNS over TCP will correctly reject it. This can be automated with a Python script that interacts with the CoreDNS server using the vulnerable transport protocols.

Remediation

Users can upgrade to CoreDNS version 1.14.3, which includes the necessary TSIG verification for DoH, DoH3, QUIC, and gRPC transports.