coredns Release Notes

This release adds the new proxyproto plugin to support Proxy Protocol and preserve client IPs behind load balancers. It also includes enhancements such as improved DNS logging metadata and stronger randomness for loop detection (CVE-2026-26018), along with several bug fixes including TLS+IPv6 forwarding, improved CNAME handling and rewriting, allowing jitter disabling, prevention of an ACL bypass (CVE-2026-26017), and a Kubernetes plugin crash fix. In addition, the release updates the build to Go 1.26.1, which include security fixes addressing CVE-2026-27137, CVE-2026-27138, CVE-2026-27139, CVE-2026-25679, and CVE-2026-27142.

Brought to You By

Adphi

Henrik Gerdes

hide

Kelly Kane

Shiv Tyagi

vflaux

Ville Vesilehto

yangsenzk

Yong Tang

YOUNEVSKY

Noteworthy Changes

• core: Reorder rewrite before acl to prevent bypass (#7882)
• plugin/file: Return SOA and NS records when queried for a record CNAMEd to origin (#7808)
• plugin/forward: Fix parsing error when handling TLS+IPv6 address (#7848)
• plugin/log: Add metadata for response Type and Class to Log (#7806)
• plugin/loop: Use crypto/rand for query name generation (#7881)
• plugin/kubernetes: Fix panic on empty ListenHosts (#7857)
• plugin/proxyproto: Add proxy protocol support (#7738)
• plugin/reload: Allow disabling jitter with 0s (#7896)
• plugin/rewrite: Fix cname target rewrite for CNAME chains (#7853)

This release focuses on security hardening and operational reliability. Core updates introduce a regex length limit to reduce resource-exhaustion risk. Plugin updates improve error consolidation (show_first), reduce misleading SOA warnings, add Kubernetes API rate limiting, enhance metrics with plugin chain tracking, and fix issues in azure and sign. This release also includes additional security fixes; see the security advisory for details.

Brought to You By

• cangming
• pasteley
• Raisa Kabir
• Ross Golder
• rusttech
• Syed Azeez
• Ville Vesilehto
• Yong Tang

Noteworthy Changes

• core: Fix gosec G115 integer overflow warnings (#7799)
• core: Add regex length limit (#7802)
• plugin/azure: Fix slice init length (#6901)
• plugin/errors: Add optional show_first flag to consolidate directive (#7703)
• plugin/file: Fix for misleading SOA parser warnings (#7774)
• plugin/kubernetes: Rate limits to api server (#7771)
• plugin/metrics: Implement plugin chain tracking (#7791)
• plugin/sign: Report parser err before missing SOA (#7775)

This release adds initial support for DoH3 and includes several core performance and stability fixes, including reduced allocations, a resolved data race in uniq, and safer QUIC listener initialization. Plugin updates improve forwarder reliability, extend GeoIP schema support, and fix issues in secondary, nomad, and kubernetes. Cache and file plugins also receive targeted performance tuning.

Deprecations

The GeoIP plugin currently returns 0 for missing latitude/longitude, even though 0,0 is a real location. In the next release, this behavior will change: missing coordinates will return an empty string instead. This avoids conflating “missing” with a real coordinate. Users relying on 0 as a sentinel value should update their logic before this change takes effect. See PR #7732 for reference.

Brought to You By

Alicia Y
Andrey Smirnov
Brennan Kinney
Charlie Vieth
Endre Szabo
Eric Case
Filippo125
Nico Berlee
Olli Janatuinen
Rick Fletcher
Timur Solodovnikov
Tomas Boros
Ville Vesilehto
cangming
rpb-ant
wencyu
wenxuan70
Yong Tang
zhetaicheleba

Noteworthy Changes

• core: Add basic support for DoH3 (#7677)
• core: Avoid proxy unnecessary alloc in Yield (#7708)
• core: Fix usage of sync.Pool to save an alloc (#7701)
• core: Fix data race with sync.RWMutex for uniq (#7707)
• core: Prevent QUIC reload panic by lazily initializing the listener (#7680)
• core: Refactor/use reflect.TypeFor (#7696)
• plugin/auto: Limit regex length (#7737)
• plugin/cache: Remove superfluous allocations in item.toMsg (#7700)
• plugin/cache: Isolate metadata in prefetch goroutine (#7631)
• plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil packages (#7678)
• plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy (#7619)
• plugin/file: Performance finetuning (#7658)
• plugin/forward: Disallow NOERROR in failover (#7622)
• plugin/forward: Added support for per-nameserver TLS SNI (#7633)
• plugin/forward: Prevent busy loop on connection err (#7704)
• plugin/forward: Add max connect attempts knob (#7722)
• plugin/geoip: Add ASN schema support (#7730)
• plugin/geoip: Add support for subdivisions (#7728)
• plugin/kubernetes: Fix kubernetes plugin logging (#7727)
• plugin/multisocket: Cap num sockets to prevent OOM (#7615)
• plugin/nomad: Support service filtering (#7724)
• plugin/rewrite: Pre-compile CNAME rewrite regexp (#7697)
• plugin/secondary: Fix reload causing secondary plugin goroutine to leak (#7694)

This release updates CoreDNS to Go 1.25.2 and golang.org/x/net v0.45.0 to address multiple high-severity CVEs. It also improves core performance by avoiding string concatenation in loops, and hardens the sign plugin by rejecting invalid UTF-8 tokens in dbfile.

Brought to You By

• Catena cyber
• Ville Vesilehto
• Yong Tang

Noteworthy Changes

• core: Avoid string concatenation in loops (#7572)
• core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes (#7598)
• plugin/sign: Reject invalid UTF‑8 dbfile token (#7589)

Brought to You By

• Fitz_dev
• Ilya Kulakov
• Olli Janatuinen
• Ville Vesilehto
• Yong Tang

Noteworthy Changes

• core: Export timeout values in dnsserver.Server (#7497)
• core: Fix Corefile infinite loop on unclosed braces (#7571)
• core: Fix Corefile related import cycle issue (#7567)
• core: Normalize panics on invalid origins (#7563)
• core: Rely on dns.Server.ShutdownContext to gracefully stop (#7517)
• plugin/dnstap: Add bounds for plugin args (#7557)
• plugin/file: Fix data race in tree Elem.Name (#7574)
• plugin/forward: No failover to next upstream when receiving SERVFAIL or REFUSED response codes (#7458)
• plugin/grpc: Enforce DNS message size limits (#7490)
• plugin/loop: Prevent panic when ListenHosts is empty (#7565)
• plugin/loop: Avoid panic on invalid server block (#7568)
• plugin/nomad: Add a Nomad plugin (#7467)
• plugin/reload: Prevent SIGTERM/reload deadlock (#7562)

This release improves stability and security, fixing context propagation in DoH, label offset handling in the file plugin, and connection leaks in gRPC and transfer. It also adds support for the prefer option in loadbalance, introduces timeouts to the metrics server, and fixes several security vulnerabilities (see details in related security advisories).

Brought to You By

• Archy
• Ilya Kulakov
• Olli Janatuinen
• Qasim Sarfraz
• Syed Azeez
• Ville Vesilehto
• wencyu
• Yong Tang

Noteworthy Changes

• core: Improve caddy.GracefulServer conformance checks (#7416)
• core: Propagate HTTP request context in DoH (#7491)
• plugin/file: Fix label offset problem in ClosestEncloser (#7465)
• plugin/grpc: Check proxy list length in policies (#7512)
• plugin/grpc: Fix span leak and deadline on error attempt (#7487)
• plugin/header: Remove deprecated syntax (#7436)
• plugin/loadbalance: Support prefer option (#7433)
• plugin/metrics: Add timeouts to metrics HTTP server (#7469)
• plugin/trace: Migrate dd-trace-go v1 to v2 (#7466)
• plugin/transfer: Fix goroutine leak on axfr err (#7516)

This release improves plugin reliability and standards compliance, adding startup timeout to the Kubernetes plugin, fallthrough to gRPC, and EDNS0 unset to rewrite. The file plugin now preserves SRV record case per RFC 6763, route53 is updated to AWS SDK v2, and multiple race conditions in cache and connection handling in forward are fixed.

Brought to You By

blakebarnett
Brennan Kinney
Cameron Steel
Dave Brown
Dennis Simmons
Guillaume Jacquet
harshith-2411-2002
houpo-bob
Oleg Guba
Sebastian Mayr
Stephen Kitt
Syed Azeez
Ville Vesilehto
Yong Tang
Yoofi Quansah

Noteworthy Changes

• plugin/auto: Return REFUSED when no next plugin is available (#7381)
• plugin/cache: Create a copy of a response to ensure original msg is never modified (#7357)
• plugin/cache: Fix data race when refreshing cached messages (#7398)
• plugin/cache: Fix data race when updating the TTL of cached messages (#7397)
• plugin/file: Return REFUSED when no next plugin is available (#7381)
• plugin/file: Preserve case in SRV record names and targets per RFC 6763 (#7402)
• plugin/forward: Handle cached connection closure in forward plugin (#7427)
• plugin/grpc: Add support for fallthrough to the grpc plugin (#7359)
• plugin/kubernetes: Add startup_timeout for kubernetes plugin (#7068)
• plugin/kubernetes: Properly create hostname from IPv6 (#7431)
• plugin/rewrite: Add EDNS0 unset action (#7380)
• plugin/route53: Port to AWS Go SDK v2 (#6588)
• plugin/test: Fix TXT record comparison logic for multi-string vs multi-record scenarios (#7413)

This release introduces significant improvements to plugin stability and extensibility. It adds multicluster support to the Kubernetes plugin, fallthrough support in the file plugin, and a new SetProxyOptions function for the forward plugin. Notably, the QUIC (DoQ) plugin now limits concurrent streams, improving performance under load. Several bug fixes and optimizations improve reliability across plugins, including rewrite, proxy, and metrics.

Brought to You By

• Ambrose Chua,
• Arthur Outhenin-Chalandre,
• Ben Kochie,
• Colden Cullen,
• Gleb Kogtev,
• Hirotaka Tagawa,
• Kevin Lyda,
• Manuel Rüger,
• Mark Mickan,
• Parfenov Ivan,
• skipper,
• vdbe,
• Viktor Oreshkin,
• Ville Vesilehto,
• Yannick Epstein,
• Yong Tang

Noteworthy Changes

• core: Enable plugins via environment during build (#7310)
• core: Ensure DNS query name reset in plugin.NS error path (#7142)
• plugin/forward: Added SetProxyOptions function for forward plugin (#7229)
• plugin/ready: Do not interrupt querying readiness probes for plugins (#6975)
• plugin/secondary: Make transfer property mandatory (#7249)
• plugin/rewrite: Truncated upstream response (#7277)
• plugin/quic: Limit concurrent DoQ streams and goroutines (#7296)
• plugin/kubernetes: Add multicluster support (#7266)
• plugin/bind: Remove zone for link-local IPv4 (#7295)
• plugin/metrics: Preserve request size from plugins (#7313)
• plugin/proxy: Avoid Dial hang after Transport stopped (#7321)
• plugin/file: Add fallthrough support (#7327)
• plugin/kubernetes: Optimize AutoPath slice allocation (#7323)

In this release

• kubernetes: Revert recent change to only create PTR records for endpoints with hostname defined.
• forward: added option to return SERVFAIL immediately if all upstreams are unhealthy.

Brought to You By

• Adrian Moisey,
• Arthur Outhenin-Chalandre,
• Bartosz Borkowski,
• Ben Kochie,
• Chris O'Haver,
• Min Woo Kim,
• Puneet Loya,
• Rich,
• Viktor,
• momantech

Noteworthy Changes

• core: Increase CNAME lookup limit from 7 to 10 (#7153)
• plugin/kubernetes: Fix handling of pods having DeletionTimestamp set (#7119) (#7131)
• plugin/kubernetes: Revert "only create PTR records for endpoints with hostname defined (#6898)" (#7194)
• plugin/forward: added option failfast_all_unhealthy_upstreams to return servfail if all upstreams are down (#6999)