A critical Denial of Service vulnerability has been discovered in CoreDNS DNS-over-QUIC (DoQ) server implementation that allows remote attackers to exhaust server memory without authentication.
The vulnerability stems from the server’s unbounded creation of goroutines for incoming QUIC streams, enabling attackers to trigger Out Of Memory crashes through resource exhaustion attacks targeting the popular DNS server software.
Security researchers identified a fundamental design vulnerability in CoreDNS’s DNS-over-QUIC implementation within the server_quic.go component.
The vulnerability arises from the server’s approach of creating a dedicated goroutine for every incoming QUIC stream without implementing any limits on concurrent streams or goroutines.
This 1:1 stream-to-goroutine model creates an exploitable attack surface where malicious actors can deliberately open numerous streams to consume available memory resources.
The technical mechanism behind this vulnerability involves an attacker establishing QUIC connections and opening multiple streams within each connection.
Since CoreDNS spawns a new goroutine for each stream without bounds checking, the server’s memory consumption grows proportionally with the number of streams.
This unbounded resource allocation pattern makes the vulnerability particularly dangerous in containerized environments or systems with memory constraints, where resource exhaustion can quickly lead to service disruption.
CoreDNS Vulnerability
The vulnerability presents a high-severity threat due to its low attack complexity and potential for significant availability impact.
Attackers can exploit this vulnerability remotely over the network without requiring any authentication or user interaction, making it an attractive target for threat actors seeking to disrupt DNS services.
The attack vector is classified as having low complexity because it requires minimal technical expertise and can be executed using standard QUIC client tools.
Organizations running CoreDNS with quic:// enabled in their Corefile configuration are particularly vulnerable to this attack.
A single attacker can render an entire CoreDNS instance unresponsive while using minimal bandwidth and CPU resources, creating an asymmetric attack scenario where small efforts yield disproportionate damage.
The vulnerability is especially concerning for critical infrastructure and enterprise environments where DNS availability is essential for operational continuity.
Memory-constrained deployments, including containerized instances and cloud environments with resource limits, face heightened risk of Out Of Memory kills that can cascade into broader service outages.
Mitigations
CoreDNS developers have released patches introducing two key mitigation mechanisms to address this vulnerability.
The first mechanism, max_streams, establishes a cap on concurrent QUIC streams per connection with a default limit of 256 streams.
The second mechanism, worker_pool_size, implements a server-wide bounded worker pool to process incoming streams, defaulting to 1024 workers.
These changes eliminate the problematic 1:1 stream-to-goroutine model and ensure resilient operation under high concurrency scenarios.
The new configuration options can be implemented through the quic Corefile block, allowing administrators to customize limits based on their specific deployment requirements.
For organizations unable to immediately upgrade, several workaround strategies are available. The most immediate mitigation involves disabling QUIC support by removing or commenting out quic:// blocks in Corefile configurations.
Additional protective measures include implementing container runtime resource limits to detect excessive memory usage and establishing monitoring systems to identify anomalous QUIC connection patterns.
These interim solutions provide temporary protection while organizations plan their upgrade strategies to implement the permanent fixes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
 server implementation that allows remote attackers to exhaust server memory.){kind=link}