Executive Summary

This vulnerability affects CoreDNS versions prior to 1.14.3 in the DNS-over-HTTPS (DoH) GET request handling. The GET path accepts oversized "dns=" query parameter values without proper size validation before processing. As a result, the server performs expensive operations like URL query parsing, base64 decoding, and DNS message unpacking on these large inputs before rejecting them.

Unlike the POST path, which limits request size to 65536 bytes, the GET path lacks such bounds, allowing an attacker to send very large requests. This leads to high CPU usage, large transient memory allocations, and increased garbage collection pressure.

A remote, unauthenticated attacker can exploit this by repeatedly sending oversized DoH GET requests, causing denial of service due to resource exhaustion. The issue was fixed in CoreDNS version 1.14.3.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition on affected CoreDNS servers. An attacker can remotely and without authentication send specially crafted oversized DoH GET requests that cause the server to consume excessive CPU and memory resources.

The resulting high CPU usage, large memory allocations, and increased garbage collection pressure can degrade server performance or cause it to become unresponsive, impacting availability of DNS services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage, large transient memory allocations, and elevated garbage-collection pressure on CoreDNS servers handling DNS-over-HTTPS (DoH) GET requests.

Specifically, detection involves identifying oversized DoH GET requests with large "dns=" query parameters that cause extensive processing before rejection.

Network monitoring tools or packet capture utilities can be used to filter and inspect HTTP GET requests to the DoH endpoint for abnormally large "dns=" query parameters.

• Use tcpdump or Wireshark to capture and filter HTTP GET requests to the DoH endpoint, for example: tcpdump -i <interface> -A 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /dns-query?dns='
• Use monitoring commands like top, htop, or ps to observe high CPU and memory usage by the CoreDNS process.
• Check CoreDNS logs for repeated 400 Bad Request responses triggered by oversized DoH GET requests.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade CoreDNS to version 1.14.3 or later, where this vulnerability has been fixed by adding size validation on the DoH GET path.

Until the upgrade can be applied, consider implementing network-level protections such as rate limiting or filtering oversized DoH GET requests to reduce the impact of potential attacks.

Additionally, monitor system resource usage closely to detect and respond to abnormal spikes caused by exploitation attempts.

Useful 0 Not Useful 0