Back to blog
CVE-2026-35579CoreDNSDNSTSIGauth bypassDoHQUICCVE

CoreDNS CVE-2026-35579: TSIG Authentication Bypass on gRPC, QUIC, DoH and DoH3

CoreDNS < 1.14.3 fails to validate the TSIG HMAC on modern transports. AXFR, DDNS and TSIG-gated plugins bypassable without a key. Patch and workaround.

May 11, 20265 min read

CoreDNS — the Go-based DNS server that became Kubernetes' default DNS — has just been hit by a major authentication vulnerability. CVE-2026-35579 (CVSS 9.8) reveals that the modern transports (gRPC, QUIC, DoH, DoH3) never properly validate the TSIG HMAC on incoming requests. Concretely, any attacker can bypass the TSIG protections that secure zone transfers (AXFR/IXFR), dynamic DNS updates, and any TSIG-gated plugin.

On DoH and DoH3 it's even worse: the attacker doesn't even need to know a valid TSIG key name.

Technical Details

TSIG and its purpose

TSIG (Transaction SIGnature, RFC 8945) is the DNS message authentication mechanism via HMAC. It classically protects:

  • Zone transfers (AXFR, IXFR) between primary and secondary servers
  • Dynamic DNS Updates (RFC 2136)
  • CoreDNS plugins configured to require TSIG

Authentication happens in 2 steps:

  1. The server checks that the key name sent matches a configured key
  2. The server checks that the MAC (HMAC) computed on the message matches the expected one

The bug

On gRPC and QUIC

The server does check that the key name exists in the configuration… but never calls dns.TsigVerify() to validate the HMAC. The internal tsigStatus field stays nil, and the tsig plugin treats the request as successfully authenticated regardless of the MAC value.

On DoH and DoH3

Even worse: the DoHWriter.TsigStatus() method always returns nil without inspecting anything. The server doesn't even look at the TSIG record. Any request containing a TSIG record is treated as authenticated, even with an invalid key name and an arbitrary MAC.

// Reconstructed pseudo-code — vulnerable DoH pattern
func (w *DoHWriter) TsigStatus() error {
    return nil  // 🚨 No check at all
}

Characteristics

FieldValue
CVSS 3.19.8 (CRITICAL)
VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWECWE-287 (Improper Authentication)
AuthenticationTSIG completely bypassed
Affected transportsgRPC, QUIC, DoH, DoH3
Unaffected transportsClassic UDP/TCP (port 53)

Affected Products and Versions

ProductAffected versionsPatched version
CoreDNS< 1.14.31.14.3

Check your version:

# Standalone CoreDNS
coredns -version

# Kubernetes
kubectl exec -n kube-system <coredns-pod> -- /coredns -version

# Helm
helm list -A | grep coredns

If you operate CoreDNS as an internal DNS service (Kubernetes, service discovery, DDNS), mandatorily check which transports are enabled in your Corefile.

Exploitation and Impact

Exploitation conditions

Exploitation requires CoreDNS to listen on at least one vulnerable transport (gRPC, QUIC, DoH, DoH3) and at least one protection relying on TSIG.

At-risk configurations:

# Vulnerable Corefile example
. {
    bind 0.0.0.0
    grpc 0.0.0.0:443        # ⚠️ vulnerable transport
    https 0.0.0.0:443       # ⚠️ DoH
    tsig {                  # ⚠️ relies on TSIG
        key zonemaster.key
    }
    file /etc/coredns/zones/db.example.com
    transfer to *
}

Impact

1. Unauthorized zone transfers (AXFR/IXFR)

An attacker can retrieve the full content of every DNS zone you serve: internal names, IPs, hidden infrastructure, mail servers, SRV services. This is the classic first step of a targeted attack (reconnaissance).

2. Malicious dynamic DNS updates (DDNS)

The attacker can add or modify DNS records:

  • Create subdomains pointing to attacker servers (phishing, C2)
  • Modify MX records to intercept mail
  • Poison records for Kaminsky-style attacks

3. TSIG-gated plugin bypass

If you use CoreDNS plugins that only allow certain operations with TSIG (authorization policies, custom plugins), these protections are completely bypassed.

Why DoH/DoH3 are particularly dangerous

On gRPC/QUIC, the attacker at least needs to know a valid TSIG key name (often easy to guess — key1., zonemaster.). On DoH/DoH3, no prior knowledge is required. Exploitation can be launched by any attacker who can reach your DoH server.

Detection and IOCs

CoreDNS logs

Enable request logging:

. {
    log
    # ...
}

Typical indicators:

  • Successful AXFR or IXFR requests from non-authorized IPs
  • Requests containing a TSIG record with an unknown key name (on DoH/DoH3, correlate with positive results)
  • Abnormal volume of successful UPDATE requests from external sources

Log filtering

# Rough detection of AXFR attempts via DoH
grep -E "TYPE_AXFR|TYPE_IXFR" /var/log/coredns/access.log | \
  grep -v "10.0.0.0/8\|172.16.0.0/12\|192.168.0.0/16"

Zone audit

Compare zones served by CoreDNS to a trusted backup:

# If CoreDNS serves zone files
diff /etc/coredns/zones/db.example.com /backup/zones/db.example.com

Any change not aligned with a legitimate admin operation = likely compromise.

Mitigation and Patch

Immediate action: upgrade to 1.14.3

# Docker
docker pull coredns/coredns:1.14.3
docker compose up -d

# Kubernetes (update image in the ConfigMap / Deployment)
kubectl set image deployment/coredns -n kube-system \
  coredns=coredns/coredns:1.14.3

# Helm
helm upgrade coredns coredns/coredns --version <chart-version> \
  --set image.tag=1.14.3

Official workaround (if patching is delayed)

Disable vulnerable transports when TSIG is in play:

# Keep only classic UDP/TCP
. {
    bind 0.0.0.0
    # GRPC, QUIC, DoH, DoH3 removed
    tsig {
        key zonemaster.key
    }
    # ...
}

Or restrict network access on the affected transports to trusted sources only:

# iptables — limit DoH (TCP 443) to admin IPs
iptables -A INPUT -p tcp --dport 443 -s <admin-cidr> -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Long-term hardening post-patch

  • Audit zone transfers of the last 30 days for possible exfiltration
  • Rotate all TSIG keys (new HMAC secrets, redeploy to every DDNS client and secondary)
  • Restrict AXFR/IXFR by default at the firewall level, not only via TSIG
  • Actively monitor successful UPDATE requests hitting your CoreDNS servers

Why Continuous Monitoring of DNS Servers Matters

DNS servers are critical infrastructure: compromise gives the attacker control over your organization's name resolution. Yet traditional vulnerability inventories often miss CoreDNS — deployed as a microservice in Kubernetes, it slips under classic OS scanners.

With cveo.tech, inventory your DNS services alongside your Linux servers and get automatic alerts the moment a critical CVE targets CoreDNS, BIND, Unbound, Knot, or PowerDNS — so your resolvers never become the weak link in your infrastructure.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

PhpSpreadsheet CVE-2026-34084: RCE via phar:// in IOFactory::load()

PhpSpreadsheet (all branches < 5.6.0) allows RCE and SSRF via phar://, ftp:// and ssh2.sftp:// in IOFactory::load(). Patch and PHP hardening guide.

CVE-2026-0300 Palo Alto PAN-OS: Unauth Root RCE Already in CISA KEV

Critical buffer overflow (CVSS 9.8) in the User-ID Authentication Portal of Palo Alto PAN-OS — unauth root RCE. Added to CISA KEV. Patch and workaround.

Nginx UI CVE-2026-42238: Unauth Root RCE in the 10 Minutes After Startup

Nginx UI < 2.3.8 exposes /api/restore unauthenticated for the first 10 minutes after startup. Root RCE via app.ini command injection. Patch and mitigation.