CoreDNS is a DNS server that chains plugins
Branch: master
Clone or download
miekg and yongtang plugin/hosts: fix data race on h.size (#2573)
Guard the access of h.size as this is now a data race.

Fixes #2571

Signed-off-by: Miek Gieben <>
Latest commit 6d21892 Feb 17, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Add CONTRIBUTING symlink (#2540) Feb 8, 2019
.presubmit Add presubmit to check if there are any files that have `import "test… Jan 21, 2019
core Upgrade caddy to 0.11.X (#2541) Feb 17, 2019
coremain Tag version 1.3.1 (#2458) Jan 13, 2019
man Generate man-pages (#2439) Jan 6, 2019
pb Remove grpc watch functionality (#2549) Feb 11, 2019
plugin plugin/hosts: fix data race on h.size (#2573) Feb 17, 2019
request Fix some typos (#2560) Feb 17, 2019
test Fix a flaky test by not depending on Google (#2565) Feb 17, 2019
vendor Remove version pinning of thrift, ugoriji/go, and etcd (#2457) Jan 12, 2019 benchmark are spammy (#2144) Sep 27, 2018
.codecov.yml Increase codecov target requirement to 50% (from 40%) (#1344) Jan 3, 2018
.dockerignore dockerignore: ignore .git (#1723) Apr 24, 2018
.gitignore Add debug.Hexdump (#1902) Jul 4, 2018
.stickler.yml Add stickler config (#2009) Jul 27, 2018
.travis.yml Remove benchmark from travis (#2350) Nov 29, 2018 Change http to https for security links (#2559) Feb 15, 2019 Change http to https for security links (#2559) Feb 15, 2019 Change http to https for security links (#2559) Feb 15, 2019
Dockerfile Docker: drop alpine (#1843) Jun 4, 2018 Governance: Clarify definition of "Transparent and accessible" (#2300) Nov 13, 2018
Gopkg.lock Remove version pinning of thrift, ugoriji/go, and etcd (#2457) Jan 12, 2019
Gopkg.toml Remove version pinning of thrift, ugoriji/go, and etcd (#2457) Jan 12, 2019
LICENSE Cleanups, removing Caddy name a bit more Mar 19, 2016
Makefile Upgrade caddy to 0.11.X (#2541) Feb 17, 2019
Makefile.doc Run make -f Makefile.doc (#1875) Jun 13, 2018
Makefile.fuzz Fuzzing: add more fuzzing targets (#2402) Dec 17, 2018
Makefile.release rename VERBOSE to be more generic (#2172) Oct 10, 2018
OWNERS OWNERS: Add email (#2313) Nov 15, 2018 Update on compiling from GitHub (#2543) Feb 9, 2019 Update (#2237) Oct 25, 2018 Run make -f Makefile.doc (#1875) Jun 13, 2018
coredns.go Enhancement of external plugin enabling (#1392) Jan 15, 2018 Add import plugin to give it docs (#2428) Jan 6, 2019
directives_generate.go Enhancement of external plugin enabling (#1392) Jan 15, 2018
plugin.cfg Add new plugin: external - resolve k8s ingress and LB address with ex… Dec 14, 2018 Fix some typos in comment (#2520) Feb 1, 2019


Documentation Build Status Code Coverage Docker Pulls Go Report Card CII Best Practices

CoreDNS (written in Go) chains plugins. Each plugin performs a DNS function.

CoreDNS is a Cloud Native Computing Foundation graduated project.

CoreDNS is a fast and flexible DNS server. The keyword here is flexible: with CoreDNS you are able to do what you want with your DNS data by utilizing plugins. If some functionality is not provided out of the box you can add it by writing a plugin.

CoreDNS can listen for DNS request coming in over UDP/TCP (go'old DNS), TLS (RFC 7858) and gRPC (not a standard).

Currently CoreDNS is able to:

  • Serve zone data from a file; both DNSSEC (NSEC only) and DNS are supported (file and auto).
  • Retrieve zone data from primaries, i.e., act as a secondary server (AXFR only) (secondary).
  • Sign zone data on-the-fly (dnssec).
  • Load balancing of responses (loadbalance).
  • Allow for zone transfers, i.e., act as a primary server (file).
  • Automatically load zone files from disk (auto).
  • Caching (cache).
  • Use etcd as a backend (replace SkyDNS) (etcd).
  • Use k8s (kubernetes) as a backend (kubernetes).
  • Serve as a proxy to forward queries to some other (recursive) nameserver (forward).
  • Provide metrics (by using Prometheus) (metrics).
  • Provide query (log) and error (errors) logging.
  • Support the CH class: version.bind and friends (chaos).
  • Support the RFC 5001 DNS name server identifier (NSID) option (nsid).
  • Profiling support (pprof).
  • Rewrite queries (qtype, qclass and qname) (rewrite and template).

And more. Each of the plugins is documented. See for all in-tree plugins, and for all out-of-tree plugins.

Compilation from Source

To compile CoreDNS, we assume you have a working Go setup. See various tutorials if you don’t have that already configured.

First, make sure your $GOPATH is correctly set. See here for details. Then, check out the project under your $GOPATH and run make to compile the binary:

$ mkdir -p $GOPATH/src/
$ cd $GOPATH/src/
$ git clone
$ cd coredns
$ make

This should yield a coredns binary.

We vendor most (not all!) packages. This is mostly because vendoring isn't a perfect solution (in Go). We don't vendor mholt/caddy and miekg/dns for instance. Using make will pull down these dependencies and checks out the correct version as well.

Compilation with Docker

CoreDNS requires Go to compile. However, if you already have docker installed and prefer not to setup a Go environment, you could build CoreDNS easily:

$ docker run --rm -i -t -v $PWD:/go/src/ \
      -w /go/src/ golang:1.11 make

The above command alone will have coredns binary generated.


When starting CoreDNS without any configuration, it loads the whoami plugin and starts listening on port 53 (override with -dns.port), it should show the following:

2016/09/18 09:20:50 [INFO] CoreDNS-001

Any query send to port 53 should return some information; your sending address, port and protocol used.

If you have a Corefile without a port number specified it will, by default, use port 53, but you can override the port with the -dns.port flag:

./coredns -dns.port 1053, runs the server on port 1053.

Start a simple proxy, you'll need to be root to start listening on port 53.

Corefile contains:

.:53 {
    forward .

Just start CoreDNS: ./coredns. Then just query on that port (53). The query should be forwarded to and the response will be returned. Each query should also show up in the log which is printed on standard output.

Serve the (NSEC) DNSSEC-signed on port 1053, with errors and logging sent to standard output. Allow zone transfers to everybody, but specifically mention 1 IP address so that CoreDNS can send notifies to it. {
    file /var/lib/coredns/ {
        transfer to *
        transfer to 2001:500:8f::53

Serve on port 1053, but forward everything that does not match to a recursive nameserver and rewrite ANY queries to HINFO.

.:1053 {
    rewrite ANY HINFO
    forward .

    file /var/lib/coredns/ {
        transfer to *
        transfer to 2001:500:8f::53

IP addresses are also allowed. They are automatically converted to reverse zones: {

Means you are authoritative for

This also works for IPv6 addresses. If for some reason you want to serve a zone named add the closing dot: as this also stops the conversion.

This even works for CIDR (See RFC 1518 and 1519) addressing, i.e., CoreDNS will then check if the in-addr request falls in the correct range.

Listening on TLS and for gRPC? Use:

tls:// grpc:// {

Specifying ports works in the same way:

grpc:// {
    # ...

When no transport protocol is specified the default dns:// is assumed.


We're most active on Github (and Slack):

More resources can be found:


Examples for deployment via systemd and other use cases can be found in the deployment repository.

Deprecation Policy

When there is a backwards incompatible change in CoreDNS the following process is followed:

  • Release x.y.z: Announce that in the next release we will make backward incompatible changes.
  • Release x.y+1.0: Increase the minor version and set the patch version to 0. Make the changes, but allow the old configuration to be parsed. I.e. CoreDNS will start from an unchanged Corefile.
  • Release x.y+1.1: Increase the patch version to 1. Remove the lenient parsing, so CoreDNS will not start if those features are still used.

E.g. 1.3.1 announce a change. 1.4.0 a new release with the change but backward compatible config. And finally 1.4.1 that removes the config workarounds.


Security Audit

A third party security audit was performed by Cure53, you can see the full report here.

Reporting security vulnerabilities

If you find a security vulnerability or any security related issues, please DO NOT file a public issue, instead send your report privately to Security reports are greatly appreciated and we will publicly thank you for it.

Please consult security vulnerability disclosures and security fix and release process document