Listen to this Post
How CVE-2026-33489 Works
This vulnerability lies in CoreDNS’s `transfer` plugin, which handles DNS zone transfers (AXFR/IXFR). When both a parent zone (e.g., example.org.) and a more-specific subzone (e.g., a.example.org.) are configured with different ACL rules, the plugin’s zone selection logic fails.
The `longestMatch()` function in `plugin/transfer/transfer.go` is documented to select the “longest zone match”. However, it uses a simple lexicographic string comparison (if z > zone) rather than a true suffix-match algorithm to determine the winner.
Consequently, when comparing `”example.org.”` and "a.example.org.", the comparison `”example.org.” > “a.example.org.”` evaluates to true because the dot (.) is lexicographically greater than the letter 'a'. This causes the parent zone’s ACL stanza to be selected over the intended, more-specific child zone’s stanza, even though the child zone has a longer matching suffix for the query a.example.org.. This bypass is data-dependent and operationally non-intuitive for administrators.
An attacker can exploit this by adding a permissive parent-zone transfer rule, overriding a restrictive subzone rule. They can then perform unauthorized AXFR/IXFR requests to retrieve the subzone’s full DNS records.
DailyCVE Form
Platform: CoreDNS
Version: < 1.14.3
Vulnerability: ACL Bypass
Severity: High
Date: 2026-04-28
Prediction: Patch 2026-05-01
What Undercode Say
This flaw fundamentally breaks the principle of least privilege in hierarchical DNS configurations. Administrators relying on CoreDNS for split-horizon or internal subnet isolation are at immediate risk. The fix addresses the core issue: replacing the lexicographic comparison with a true longest-suffix-match algorithm.
Analytics Commands
To audit your CoreDNS setup, use this bash one-liner to inspect your Corefile for potentially dangerous parent/child zone ACL pairs:
Extract transfer plugin blocks and flag risky configurations
grep -A5 -B5 'transfer {' /etc/coredns/Corefile | grep -E '^(example.org|acl)'
A more robust check using `awk` to compare zone names:
awk '/transfer {/{flag=1} flag && /acl/{acl=$0; getline; if(/example.org/ && !/a.example.org/) print "Risky: Parent ACL may override subzone:", acl; if(/}/) flag=0}' /etc/coredns/Corefile
How Exploit
- Setup Environment: Compile a vulnerable CoreDNS version (< 1.14.3) with the `transfer` plugin enabled.
2. Configure Vulnerable Zones:
Zone: `example.org.` with a permissive `transfer` ACL (e.g., acl { allow net 0.0.0.0/0 }).
Subzone: `a.example.org.` with a restrictive `transfer` ACL (e.g., acl { deny net 0.0.0.0/0 }).
3. Execute Attack: From an unauthorized client, use `dig` to request a full zone transfer for the subzone.
dig @vulnerable-coredns-server a.example.org AXFR
The expected result is REFUSED, but due to the flaw, the server returns the full zone data.
4. Automation: The publicly available `acl-repro.py` Proof-of-Concept (PoC) script automates this reproduction.
Protection from this CVE
- Immediate Action: Upgrade CoreDNS to version 1.14.3 or later, which contains the official patch that corrects the zone selection logic.
- Workaround (If Patching is Delayed): Avoid configuring overlapping zone definitions with conflicting access rules on the same server block. Implement strict network-level ACLs (e.g., firewalls) to restrict which IPs can initiate AXFR requests to your CoreDNS server.
- Verify the Patch: After upgrading, re-run the `acl-repro.py` script to confirm the vulnerability is resolved. The expected output should show `REFUSED` in both baseline and candidate test scenarios.
Impact
Successful exploitation allows an unauthorized remote attacker to bypass DNS access controls and retrieve the complete contents of a protected subzone via AXFR/IXFR requests. This can lead to information disclosure of internal network topology, service locations, and other sensitive DNS records intended to remain private.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
