CoreDNS Transfer Plugin ACL Bypass Vulnerability Allowing Unauthorized Zone Transfers

A vulnerability in CoreDNS versions prior to 1.14.3 allows for an unauthorized remote client to perform zone transfers (AXFR/IXFR) from a subzone. This occurs because the transfer plugin incorrectly selects the applicable Access Control List (ACL) rules. When both a parent zone and a more-specific subzone are present, the plugin's longestMatch() function uses lexicographic string comparison rather than the intended longest-suffix match. Consequently, a permissive transfer rule from the parent zone can override a stricter rule in the subzone, depending on the alphabetical order of the zone names. The issue has been resolved in CoreDNS version 1.14.3.

Impact

Exploitation of this vulnerability allows for unauthorized zone transfers, exposing the full contents of the subzone to a remote client. This bypasses intended restrictions and can lead to unauthorized access to potentially sensitive DNS information.

Reproduction

To reproduce this vulnerability, first ensure that CoreDNS is running a version prior to 1.14.3. Then, configure a parent zone with a permissive transfer rule and a subzone with a restrictive rule. The vulnerability can be demonstrated by requesting an AXFR transfer for the subzone, which should be denied under normal circumstances. However, with the incorrect ACL selection, the transfer will be allowed, exposing the subzone contents.

Remediation

Users can upgrade to CoreDNS version 1.14.3 or later, where this vulnerability has been fixed.