CoreDNS DoS Flaw: Unauthenticated Attackers Can Crash Servers via DNS-over-QUIC

A critical denial-of-service (DoS) vulnerability has been identified in CoreDNS, the modular DNS server widely deployed across cloud-native and containerized environments. Tracked as CVE-2025-47950, this flaw affects the DNS-over-QUIC (DoQ) implementation and allows unauthenticated attackers to exhaust server memory through a stream amplification attack—potentially leading to an Out Of Memory (OOM) crash.

“The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines,” the CoreDNS team explained in their security advisory.

The vulnerability exists in CoreDNS versions prior to 1.12.2, and specifically impacts deployments where quic:// is enabled in the Corefile. By flooding the server with a large number of QUIC streams, a remote attacker can trigger unbounded goroutine creation and rapid memory consumption, crashing the service—especially in memory-constrained or containerized environments.

“A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU,” the advisory warns.

The patch, released in version 1.12.2, introduces two critical safeguards:

• **max_streams**: Limits the number of concurrent QUIC streams per connection. Default value: 256.
• **worker_pool_size**: Establishes a bounded worker pool to manage stream processing. Default value: 1024.

These mitigations effectively replace the previous 1:1 stream-to-goroutine model with a more scalable and memory-resilient design. Users can configure these values within the quic block in the Corefile:

quic {
    max_streams 256
    worker_pool_size 1024
}

This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency.

For users who cannot upgrade immediately, CoreDNS suggests the following interim measures:

• Disable QUIC by removing or commenting out the quic:// block in the Corefile.
• Use container runtime resource limits to detect and isolate memory overuse.
• Monitor QUIC traffic to identify abnormal connection patterns.

Only deployments that have explicitly enabled QUIC support are affected. Organizations using standard DNS-over-UDP/TCP setups are not impacted by this vulnerability.

Related Posts:

• NGINX Releases Security Updates: HTTP/3 Vulnerabilities Patched
• Security Expert Announces PoC to Crashes All Recent Windows
• Linux Users Hit by CrowdStrike Fallout: Kernel Panics Reported
• QR Codes Coming to Linux Kernel Panics with 6.12 Release
• Chrome Crashing on Windows, Android, and macOS; iOS Unaffected