coredns/coredns
Security
Active contributors: johnbelamaric, miekg, ihac, isolus, chrisohaver
Purpose
These plugins enforce who can ask, what they can ask, and what's signed. They sit either at the start of the chain (filtering) or wrap the response (signing).
Plugins in this group
| Plugin | Source | One-liner |
|---|---|---|
acl |
plugin/acl/ |
Allow/deny queries by client CIDR or DNS class/type |
view |
plugin/view/ |
Scope a server block to clients matching a CEL-like expression |
tsig |
plugin/tsig/ |
Verify TSIG-signed queries against named secrets |
dnssec |
plugin/dnssec/ |
On-the-fly DNSSEC signing of any answer (NSEC black lies) |
sign |
plugin/sign/ |
Pre-sign zone files on disk (DNSSEC) |
tls |
plugin/tls/ |
Configure TLS for DoT/DoH/DoH3/DoQ/gRPC servers |
How they fit
graph TD
Q[query]
Q --> View{view filter}
View -->|no match| OtherBlock[other server block]
View -->|match| TSIG[tsig]
TSIG -->|invalid sig| Refused[REFUSED]
TSIG -->|valid| ACL[acl]
ACL -->|deny| Refused
ACL -->|allow| Chain[downstream plugins]
Chain --> DNSSEC[dnssec wrap response]
DNSSEC --> Reply[reply]viewis processed incore/dnsserver: it contributes aFilterFuncto theConfig, evaluated before the chain runs.tsigvalidates signed messages via the per-serverTsigSecretmap populated from the Caddyfile.aclmatches a request's client IP, qclass, qtype, and qname against a list ofallow/block/refuse/drop/filterrules, encoded withexpression.dnssecandsignare siblings:signruns outside the server (offline signing of master files) whilednssecruns in-process and signs at request time.
Notable plugins in detail
view
Implements Viewer (core/dnsserver/view.go). Each view plugin instance contributes a Filter(ctx, req) function evaluated in Server.ServeDNS before dispatch. The filter is parsed by plugin/pkg/expression and exposes variables like client_ip, proto, qtype, qname. Unmatched server blocks are skipped, allowing two blocks for the same zone to serve different content to different clients. Two views in the same block error out at setup time.
acl
Pure-Go expression evaluator over IPs and DNS metadata. Rules:
acl {
block type ANY
allow net 192.168.0.0/16
block
}Actions are allow, block (REFUSED), refuse (legacy), drop (no response), filter (NOERROR with empty answer). The evaluator is in plugin/acl/handler.go. Common in zero-trust setups where DNS is itself an attack surface.
tsig
Verifies inbound TSIG. The Caddyfile configures secret <name> <key> entries that are propagated to Config.TsigSecret and consumed by the underlying miekg/dns.Server. Useful for AXFR authentication.
dnssec
The on-the-fly signer. From the README.md:
With dnssec, any reply that doesn't (or can't) do DNSSEC will get signed on the fly. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.
Implementation:
- Keys come from disk (
key file) or AWS Secrets Manager (key aws_secretsmanager). Each key has its DNSKEY type derived from the SEP bit. - Signed RRSIGs are cached in a sharded LRU keyed by
(name, type, dnssec_alg). Capacity is configurable viacache_capacity. - The plugin wraps the downstream writer to inspect the message, sign each RRset, and append RRSIG and NSEC records. Implementation lives in
plugin/dnssec/handler.go,dnssec.go, andresponsewriter.go.
sign
Offline signer. Reads a master file, signs every record, and writes a signed master file to disk for the file plugin to serve. Useful when on-the-fly signing isn't desired (CPU cost, DNSKEY rotation control).
tls
Doesn't directly handle DNS — instead, populates Config.TLSConfig so DoT, DoH, DoH3, DoQ, and gRPC servers can use it. Uses plugin/pkg/tls to assemble the *tls.Config. Multiple tls blocks across the same server block error out (transports require a single config).
Cross-plugin notes
viewruns before the plugin chain;aclruns inside the chain. Useviewfor hard tenant separation,aclfor firewall-style rules.dnssecandtransfercooperate: zone transfers expose signed records when both are loaded.tlsis required for DoT/DoH/DoH3/DoQ/gRPC encrypted servers; the Transports page lists which servers consultConfig.TLSConfig.tsighonors theTsigSecretmap referenced byServer.serverDNS.
Key source files
| File | Purpose |
|---|---|
plugin/view/view.go, plugin/view/setup.go |
View implementation |
core/dnsserver/view.go |
Viewer interface |
plugin/acl/handler.go, plugin/acl/setup.go |
ACL evaluator |
plugin/tsig/tsig.go |
TSIG verification |
plugin/dnssec/dnssec.go, handler.go, responsewriter.go, cache.go |
On-the-fly signing |
plugin/sign/sign.go, signer.go |
Offline signing |
plugin/tls/tls.go |
TLS configuration |
plugin/pkg/tls/ |
Shared TLS builder |
plugin/pkg/expression/ |
Expression evaluator (for acl and view) |
Related pages
- Transports — encrypted servers that consume
tls. - Backends —
transfercooperates with DNSSEC for signed AXFR. - DNS server —
Viewerintegration in dispatch.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.