CoreDNS Blog

This release primarily addresses security vulnerabilities affecting Go versions prior to Go 1.25.6 and Go 1.24.12 (CVE-2025-61728, CVE-2025-61726, CVE-2025-68121, CVE-2025-61731, CVE-2025-68119). It also includes performance improvements to the proxy plugin via multiplexed connections, along with various documentation updates. Brought to You By Alex Massy Shiv Tyagi Ville Vesilehto Yong Tang Noteworthy Changes plugin/proxy: Use mutex-based connection pool (https://github.com/coredns/coredns/pull/7790)

This release focuses on security hardening and operational reliability. Core updates introduce a regex length limit to reduce resource-exhaustion risk. Plugin updates improve error consolidation (show_first), reduce misleading SOA warnings, add Kubernetes API rate limiting, enhance metrics with plugin chain tracking, and fix issues in azure and sign. This release also includes additional security fixes; see the security advisory for details. Brought to You By cangming pasteley Raisa Kabir Ross Golder rusttech Syed Azeez Ville Vesilehto Yong Tang

This release adds initial support for DoH3 and includes several core performance and stability fixes, including reduced allocations, a resolved data race in uniq, and safer QUIC listener initialization. Plugin updates improve forwarder reliability, extend GeoIP schema support, and fix issues in secondary, nomad, and kubernetes. Cache and file plugins also receive targeted performance tuning. Deprecations: The GeoIP plugin currently returns 0 for missing latitude/longitude, even though 0,0 is a real location.