Listen to this Post
The vulnerability resides in the loop plugin of CoreDNS, which is designed to detect forwarding loops by performing a self-test during startup. It generates a random query name (qname) using Go’s math/rand package seeded with time.Now().UnixNano(), making the qname predictable if an attacker knows the approximate server start time. During the self-test, the plugin sends an HINFO query with this qname to itself. If the plugin receives three or more matching queries, it calls log.Fatalf(), which invokes os.Exit(1) and terminates the CoreDNS process immediately without recovery. An attacker who can observe the qname (e.g., via logs in a shared Kubernetes cluster) can send three crafted HINFO queries with that qname, crashing the server. The attack window is extended when the upstream DNS server is unreachable, causing the self-test to retry for up to 30 seconds with the same qname, making exploitation easier. This leads to a complete denial of service for all DNS resolution in the cluster, causing cascading application failures.
dailycve form:
Platform: CoreDNS
Version: before 1.9.1
Vulnerability: DoS via loop plugin
Severity: Critical
date: 2022-04-12
Prediction: Patched in 1.9.1
What Undercode Say:
Analytics:
Monitor CoreDNS logs for repeated HINFO queries
kubectl logs -n kube-system -l k8s-app=kube-dns | grep HINFO | awk '{print $NF}' | sort | uniq -c
Check for sudden CoreDNS restarts
kubectl get pods -n kube-system -l k8s-app=kube-dns -o wide | grep CrashLoopBackOff
Exploit:
Step 1: Observe the qname from logs during self-test failure Step 2: Send three HINFO queries with that qname to crash CoreDNS dig CH HINFO <observed-qname> @<coredns-ip> +short dig CH HINFO <observed-qname> @<coredns-ip> +short dig CH HINFO <observed-qname> @<coredns-ip> +short
Protection:
Upgrade CoreDNS to version 1.9.1 or later kubectl set image deployment/coredns -n kube-system coredns=k8s.gcr.io/coredns/coredns:v1.9.1 Alternatively, disable loop plugin if not needed Edit Corefile and remove 'loop' from plugins, then restart
Impact:
Check DNS resolution failure across cluster kubectl run test-pod --image=busybox --rm -it --restart=Never -- nslookup kubernetes.default.svc.cluster.local Observe service discovery breakdown kubectl get events -A --field-selector reason=FailedDNS
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

