This release adds initial support for DoH3 and includes several core performance and stability
fixes, including reduced allocations, a resolved data race in uniq, and safer QUIC listener
initialization. Plugin updates improve forwarder reliability, extend GeoIP schema support,
and fix issues in secondary, nomad, and kubernetes. Cache and file plugins also receive
targeted performance tuning.

Deprecations: The GeoIP plugin currently returns 0 for missing latitude/longitude, even though
0,0 is a real location. In the next release, this behavior will change: missing coordinates
will return an empty string instead. This avoids conflating “missing” with a real coordinate.
Users relying on 0 as a sentinel value should update their logic before this change takes effect.
See PR #7732 for reference.

Brought to You By

Alicia Y
Andrey Smirnov
Brennan Kinney
Charlie Vieth
Endre Szabo
Eric Case
Filippo125
Nico Berlee
Olli Janatuinen
Rick Fletcher
Timur Solodovnikov
Tomas Boros
Ville Vesilehto
cangming
rpb-ant
wencyu
wenxuan70
Yong Tang
zhetaicheleba

Noteworthy Changes

• core: Add basic support for DoH3 (#7677)
• core: Avoid proxy unnecessary alloc in Yield (#7708)
• core: Fix usage of sync.Pool to save an alloc (#7701)
• core: Fix data race with sync.RWMutex for uniq (#7707)
• core: Prevent QUIC reload panic by lazily initializing the listener (#7680)
• core: Refactor/use reflect.TypeFor (#7696)
• plugin/auto: Limit regex length (#7737)
• plugin/cache: Remove superfluous allocations in item.toMsg (#7700)
• plugin/cache: Isolate metadata in prefetch goroutine (#7631)
• plugin/cache: Correct spelling of MaximumDefaultTTL in cache and dnsutil packages (#7678)
• plugin/dnstap: Better error handling (redial & logging) when Dnstap is busy (#7619)
• plugin/file: Performance finetuning (#7658)
• plugin/forward: Disallow NOERROR in failover (#7622)
• plugin/forward: Added support for per-nameserver TLS SNI (#7633)
• plugin/forward: Prevent busy loop on connection err (#7704)
• plugin/forward: Add max connect attempts knob (#7722)
• plugin/geoip: Add ASN schema support (#7730)
• plugin/geoip: Add support for subdivisions (#7728)
• plugin/kubernetes: Fix kubernetes plugin logging (#7727)
• plugin/multisocket: Cap num sockets to prevent OOM (#7615)
• plugin/nomad: Support service filtering (#7724)
• plugin/rewrite: Pre-compile CNAME rewrite regexp (#7697)
• plugin/secondary: Fix reload causing secondary plugin goroutine to leak (#7694)

This release updates CoreDNS to Go 1.25.2 and golang.org/x/net v0.45.0 to address multiple
high-severity CVEs. It also improves core performance by avoiding string concatenation in
loops, and hardens the sign plugin by rejecting invalid UTF-8 tokens in dbfile.

Brought to You By

Catena cyber
Ville Vesilehto
Yong Tang

Noteworthy Changes

• core: Avoid string concatenation in loops (#7572)
• core: Update golang to 1.25.2 and golang.org/x/net to v0.45.0 on CVE fixes (#7598)
• plugin/sign: Reject invalid UTF‑8 dbfile token (#7589)

This release introduces a new Nomad plugin for integrating CoreDNS with HashiCorp Nomad.
It also fixes major Corefile issues on infinite loops and import cycles, improves shutdown
handling, normalizes core panics, addresses data races in the file plugin, enforces gRPC size
limits, adjusts forward failover behavior, as well as prevents reload deadlocks.

Brought to You By

Fitz_dev
Ilya Kulakov
Olli Janatuinen
Ville Vesilehto
Yong Tang

Noteworthy Changes

• core: Export timeout values in dnsserver.Server (#7497)
• core: Fix Corefile infinite loop on unclosed braces (#7571)
• core: Fix Corefile related import cycle issue (#7567)
• core: Normalize panics on invalid origins (#7563)
• core: Rely on dns.Server.ShutdownContext to gracefully stop (#7517)
• plugin/dnstap: Add bounds for plugin args (#7557)
• plugin/file: Fix data race in tree Elem.Name (#7574)
• plugin/forward: No failover to next upstream when receiving SERVFAIL or REFUSED response codes (#7458)
• plugin/grpc: Enforce DNS message size limits (#7490)
• plugin/loop: Prevent panic when ListenHosts is empty (#7565)
• plugin/loop: Avoid panic on invalid server block (#7568)
• plugin/nomad: Add a Nomad plugin (#7467)
• plugin/reload: Prevent SIGTERM/reload deadlock (#7562)

This release improves stability and security, fixing context propagation in DoH, label offset handling
in the file plugin, and connection leaks in gRPC and transfer. It also adds support for the prefer option
in loadbalance, introduces timeouts to the metrics server, and fixes several security vulnerabilities
(see details in related security advisories).

Brought to You By

Archy
Ilya Kulakov
Olli Janatuinen
Qasim Sarfraz
Syed Azeez
Ville Vesilehto
wencyu
Yong Tang

Noteworthy Changes

• core: Improve caddy.GracefulServer conformance checks (#7416)
• core: Propagate HTTP request context in DoH (#7491)
• plugin/file: Fix label offset problem in ClosestEncloser (#7465)
• plugin/grpc: Check proxy list length in policies (#7512)
• plugin/grpc: Fix span leak and deadline on error attempt (#7487)
• plugin/header: Remove deprecated syntax (#7436)
• plugin/loadbalance: Support prefer option (#7433)
• plugin/metrics: Add timeouts to metrics HTTP server (#7469)
• plugin/trace: Migrate dd-trace-go v1 to v2 (#7466)
• plugin/transfer: Fix goroutine leak on axfr err (#7516)

This release improves plugin reliability and standards compliance, adding startup timeout to the Kubernetes
plugin, fallthrough to gRPC, and EDNS0 unset to rewrite. The file plugin now preserves SRV record case per
RFC 6763, route53 is updated to AWS SDK v2, and multiple race conditions in cache and connection handling in
forward are fixed.

Brought to You By

blakebarnett
Brennan Kinney
Cameron Steel
Dave Brown
Dennis Simmons
Guillaume Jacquet
harshith-2411-2002
houpo-bob
Oleg Guba
Sebastian Mayr
Stephen Kitt
Syed Azeez
Ville Vesilehto
Yong Tang
Yoofi Quansah

Noteworthy Changes

• plugin/auto: Return REFUSED when no next plugin is available (#7381)
• plugin/cache: Create a copy of a response to ensure original msg is never modified (#7357)
• plugin/cache: Fix data race when refreshing cached messages (#7398)
• plugin/cache: Fix data race when updating the TTL of cached messages (#7397)
• plugin/file: Return REFUSED when no next plugin is available (#7381)
• plugin/file: Preserve case in SRV record names and targets per RFC 6763 (#7402)
• plugin/forward: Handle cached connection closure in forward plugin (#7427)
• plugin/grpc: Add support for fallthrough to the grpc plugin (#7359)
• plugin/kubernetes: Add startup_timeout for kubernetes plugin (#7068)
• plugin/kubernetes: Properly create hostname from IPv6 (#7431)
• plugin/rewrite: Add EDNS0 unset action (#7380)
• plugin/route53: Port to AWS Go SDK v2 (#6588)
• plugin/test: Fix TXT record comparison logic for multi-string vs multi-record scenarios (#7413)

This release introduces significant improvements to plugin stability and extensibility.
It adds multicluster support to the Kubernetes plugin, fallthrough support in the file plugin,
and a new SetProxyOptions function for the forward plugin.
Notably, the QUIC (DoQ) plugin now limits concurrent streams, improving performance under load.
Several bug fixes and optimizations improve reliability across plugins, including rewrite, proxy, and metrics.

Brought to You By

Ambrose Chua,
Arthur Outhenin-Chalandre,
Ben Kochie,
Colden Cullen,
Gleb Kogtev,
Hirotaka Tagawa,
Kevin Lyda,
Manuel Rüger,
Mark Mickan,
Parfenov Ivan,
skipper,
vdbe,
Viktor Oreshkin,
Ville Vesilehto,
Yannick Epstein,
Yong Tang

Noteworthy Changes

• core: Enable plugins via environment during build (#7310)
• core: Ensure DNS query name reset in plugin.NS error path (#7142)
• plugin/forward: Added SetProxyOptions function for forward plugin (#7229)
• plugin/ready: Do not interrupt querying readiness probes for plugins (#6975)
• plugin/secondary: Make transfer property mandatory (#7249)
• plugin/rewrite: Truncated upstream response (#7277)
• plugin/quic: Limit concurrent DoQ streams and goroutines (#7296)
• plugin/kubernetes: Add multicluster support (#7266)
• plugin/bind: Remove zone for link-local IPv4 (#7295)
• plugin/metrics: Preserve request size from plugins (#7313)
• plugin/proxy: Avoid Dial hang after Transport stopped (#7321)
• plugin/file: Add fallthrough support (#7327)
• plugin/kubernetes: Optimize AutoPath slice allocation (#7323)

In this release:

• kubernetes: Revert recent change to only create PTR records for endpoints with hostname defined.
• forward: added option to return SERVFAIL immediately if all upstreams are unhealthy.

Brought to You By

Adrian Moisey,
Arthur Outhenin-Chalandre,
Bartosz Borkowski,
Ben Kochie,
Chris O'Haver,
Min Woo Kim,
Puneet Loya,
Rich,
Viktor,
momantech

Noteworthy Changes

• core: Increase CNAME lookup limit from 7 to 10 (#7153)
• plugin/kubernetes: Fix handling of pods having DeletionTimestamp set (#7119) (#7131)
• plugin/kubernetes: Revert "only create PTR records for endpoints with hostname defined (#6898)" (#7194)
• plugin/forward: added option failfast_all_unhealthy_upstreams to return servfail if all upstreams are down (#6999)

This release adds a new feature:

• New multisocket plugin - allows CoreDNS to listen on multiple sockets

Brought to You By

Ben Kochie,
Chris O'Haver,
Emmanuel Ferdman,
Viktor

Noteworthy Changes

• plugin/multisocket (#6882)

This release adds some new features and fixes some bugs. New features of note:

• forward plugin: new option next, to try alternate upstreams when receiving specified response codes upstreams on (functions like the external plugin alternate)
• dnssec plugin: new option to load keys from AWS Secrets Manager
• rewrite plugin: new option to revert EDNS0 option rewrites in responses

Brought to You By

AdamKorcz,
Anifalak,
Ben Kochie,
Chris O'Haver,
Frederic Hemery,
Grant Spence,
Harshita Sao,
Jason Joo,
Jasper Bernhardt,
Johnny Bergström,
Keith Coleman,
Kevin Lyda,
Lan,
Lin-1997,
Manuel Rüger,
Nathan Currier,
Nicolai Søborg,
Nikita Usatov,
Paco Xu,
Reinhard Nägele,
Robbie Ostrow,
TAKAHASHI Shuuji,
Till Riedel,
Tobias Klauser,
YASH JAIN,
cedar-gao,
chenylh,
wmkuipers,
xinbenlv,
zhangguanzhang

Noteworthy Changes

• core: set cache-control max-age as integer, not float (#6764)
• plugin/metadata: evaluate metadata in plugin order (#6729)
• plugin/dnssec: dnssec load keys from AWS Secrets Manager (#6618)
• plugin/rewrite: Add "revert" parameter for EDNS0 options (#6893)
• container: Restored backwards compatibility of Current Workdir (#6731)
• plugin/auto: call OnShutdown() for each zone at its own OnShutdown() (#6705)
• plugin/dnstap: log queue and buffer memory size configuration (#6591)
• plugin/bind: add zone for link-local IPv6 instead of skipping (#6547)
• plugin/kubernetes: only create PTR records for endpoints with hostname defined (#6898)
• plugin/rewrite: execute the reversion in reversed order (#6872)
• plugin/etcd: fix etcd connection leakage during reload (#6646)
• plugi/kubernetes: Add useragent (#6484)
• plugin/hosts: add hostsfile as label for coredns_hosts_entries (#6801)
• plugin/file: Fix zone parser error handling (#6680)
• plugin/forward: Add alternate option to forward plugin (#6681)
• plugin/file: return error when parsing the file fails (#6699)
• build: Generate zplugin.go correctly with third-party plugins (#6692)

Full Changelog: v1.11.3...v1.11.4

This release contains some new features, bug fixes, and package updates. Because of the deployment issues with the previous release, all changed features from 1.11.2 have been included in this release.
New features include:

• When the forward plugin receives a malformed upstream response that overflows,
  it will now send an empty response to the client with the truncated (TC) bit set to prompt the client
  to retry over TCP.
• The rewrite plugin can now rewrite response codes.
• The dnstap plugin now supports adding metadata to the dnstap extra field.

Brought to You By

Amila Senadheera,
Ben Kochie,
Benjamin,
Chris O'Haver,
Grant Spence,
John Belamaric,
Keita Kitamura,
Marius Kimmina,
Michael Grosser,
Ondřej Benkovský,
P. Radha Krishna,
Rahil Bhimjiani,
Sri Harsha,
Tom Thorogood,
Willow (GHOST),
Yong Tang,
Yuheng,
Zhizhen He,
guangwu,
journey-c,
pschou
Ted Ford

Noteworthy Changes

• plugin/tls: respect the path specified by root plugin (#6138)
• plugin/auto: warn when auto is unable to read elements of the directory tree (#6333)
• plugin/etcd: the etcd client adds the DialKeepAliveTime parameter (#6351)
• plugin/cache: key cache on Checking Disabled (CD) bit (#6354)
• plugin/forward: Use the correct root domain name in the forward plugin's health checks (#6395)
• plugin/forward: Handle UDP responses that overflow with TC bit (#6277)
• plugin/rewrite: fix multi request concurrency issue in cname rewrite (#6407)
• plugin/rewrite: add rcode as a rewrite option (#6204)
• plugin/dnstap: add support for "extra" field in payload (#6226)
• plugin/cache: fix keepttl parsing (#6250)
• Return RcodeServerFailure when DNS64 has no next plugin (#6590)
• Change the log flags to be a variable that can be set (#6546)
• Bump go version to 1.21 (#6533)
• replace the mutex locks in logging with atomic bool for the "on" flag (#6525)
• Enable Prometheus native histograms (#6524)