b- · pull · Jun 18, 2025 · Jun 18, 2025 · Jun 19, 2025 · Jun 28, 2025
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -1,8 +1,13 @@
 name: CIFuzz
+
 on:
   pull_request:
     branches:
       - master
+
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -27,15 +27,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+        uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498  # v3.29.11
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+        uses: github/codeql-action/autobuild@3c3833e0f8c1c83d449a7478aa59c036a9165498  # v3.29.11
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+        uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498  # v3.29.11
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9
+        uses: actions/dependency-review-action@bc41886e18ea39df68b1b1245f4184881938e050
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -20,13 +20,13 @@ jobs:
       DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
       RELEASE: ${{ github.event.inputs.release || github.event.release.tag_name }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       - name: Build Docker Images
         run: make VERSION=${RELEASE:1} DOCKER=coredns -f Makefile.docker release
       - name: Show Docker Images
         run: docker images
       - name: Docker login
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}

diff --git a/.github/workflows/go.coverage.yml b/.github/workflows/go.coverage.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
       - name: Setup Go Version
         run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
@@ -25,10 +25,10 @@ jobs:
 
       - name: Test With Coverage
         run: |
-          go install github.com/fatih/faillint@latest
+          go install github.com/fatih/faillint@c56e3ec6dbfc933bbeb884fd31f2bcd41f712657 # v1.15.0
           for d in request core coremain plugin test; do \
              ( cd $d; go test -coverprofile=cover.out -covermode=atomic -race ./...; [ -f cover.out ] && cat cover.out >> ../coverage.txt ); \
           done
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24  # v5.4.3
+        uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00  # v5.5.0
diff --git a/.github/workflows/go.test.yml b/.github/workflows/go.test.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
       - name: Setup Go Version
         run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
       - name: Setup Go Version
         run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
@@ -56,7 +56,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
       - name: Setup Go Version
         run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
@@ -72,15 +72,15 @@ jobs:
 
       - name: Test
         run: |
-          go install github.com/fatih/faillint@latest
+          go install github.com/fatih/faillint@c56e3ec6dbfc933bbeb884fd31f2bcd41f712657 # v1.15.0
           ( cd test; go test -race ./... )
 
   test-makefile-release:
     name: Test Makefile.release
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
       - name: Install dependencies
         run: sudo apt-get install make curl

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -1,12 +1,17 @@
 name: golangci-lint
+
 on:
   pull_request:
+
+permissions:
+  contents: read
+
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       - name: Setup Go Version
         run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
@@ -15,4 +20,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9  # v8.0.0
         with:
-          version: v2.1.6
+          version: v2.4.0
diff --git a/.github/workflows/make.doc.yml b/.github/workflows/make.doc.yml
@@ -4,7 +4,8 @@ on:
   schedule:
     - cron: '22 10 * * 0'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   fix:
@@ -13,7 +14,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 
       - name: Setup Go Version
         run: echo "GO_VERSION=$(cat .go-version)" >> $GITHUB_ENV

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
         description: "Commit (e.g., 52f0348)"
         default: "master"
 
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release
@@ -15,7 +18,7 @@ jobs:
       contents: write
     steps:
       - name: Check out code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
           ref: ${{ github.event.inputs.commit }}
       - name: Set up info

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
           persist-credentials: false
 
@@ -51,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498  # v3.29.11
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
@@ -18,16 +18,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37  # master
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4  # master
         with:
           image-ref: 'docker.io/coredns/coredns:${{ matrix.versions }}'
           severity: 'CRITICAL,HIGH'
           format: 'sarif'
           output: 'trivy-results.sarif'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858  # v3.29.0
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498  # v3.29.11
         with:
           sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/yamllint.yml b/.github/workflows/yamllint.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout'
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       - name: 'Yamllint'
         uses: karancode/yamllint-github-action@4052d365f09b8d34eb552c363d1141fd60e2aeb2
         with:

diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.24.4
+1.25.0
diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -34,3 +34,4 @@
 * [Northflank](https://northflank.com/) uses CoreDNS on all of our Kubernetes clusters across GCP, AWS, and bare-metal.
 * [PITS Global Data Recovery Services](https://www.pitsdatarecovery.net) uses CoreDNS on K8s in its highly-loaded internal infrastructure.
 * [plusserver](https://www.plusserver.com) uses CoreDNS on K8s in its plusserver Kubernetes Engine.
+* [Sophotech](https://sopho.tech) uses CoreDNS with a tuned configuration for Kubernetes deployment in production environments.
diff --git a/Dockerfile b/Dockerfile
@@ -8,8 +8,8 @@ RUN export DEBCONF_NONINTERACTIVE_SEEN=true \
            DEBIAN_PRIORITY=critical \
            TERM=linux ; \
     apt-get -qq update ; \
-    apt-get -yyqq upgrade ; \
-    apt-get -yyqq install ca-certificates libcap2-bin; \
+    apt-get -qq upgrade ; \
+    apt-get -qq --no-install-recommends install ca-certificates libcap2-bin; \
     apt-get clean
 COPY coredns /coredns
 RUN setcap cap_net_bind_service=+ep /coredns
@@ -18,6 +18,8 @@ FROM --platform=$TARGETPLATFORM ${BASE}
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 COPY --from=build /coredns /coredns
 USER nonroot:nonroot
+# Reset the working directory inherited from the base image back to the expected default:
+# https://github.com/coredns/coredns/issues/7009#issuecomment-3124851608
 WORKDIR /
 EXPOSE 53 53/udp
 ENTRYPOINT ["/coredns"]
diff --git a/README.md b/README.md
@@ -57,7 +57,7 @@ out-of-tree plugins.
 To compile CoreDNS, we assume you have a working Go setup. See various tutorials if you don’t have
 that already configured.
 
-First, make sure your golang version is 1.23.0 or higher as `go mod` support and other api is needed.
+First, make sure your golang version is 1.24.0 or higher as `go mod` support and other api is needed.
 See [here](https://github.com/golang/go/wiki/Modules) for `go mod` details.
 Then, check out the project and run `make` to compile the binary:
 
@@ -79,7 +79,7 @@ setup a Go environment, you could build CoreDNS easily:
 ```
 docker run --rm -i -t \
     -v $PWD:/go/src/github.com/coredns/coredns -w /go/src/github.com/coredns/coredns \
-        golang:1.22 sh -c 'GOFLAGS="-buildvcs=false" make gen && GOFLAGS="-buildvcs=false" make'
+        golang:1.24 sh -c 'GOFLAGS="-buildvcs=false" make gen && GOFLAGS="-buildvcs=false" make'
 ```
 
 The above command alone will have `coredns` binary generated.

diff --git a/core/dnsserver/https.go b/core/dnsserver/https.go
@@ -43,6 +43,11 @@ func (d *DoHWriter) LocalAddr() net.Addr {
 	return d.laddr
 }
 
+// Network no-op implementation.
+func (d *DoHWriter) Network() string {
+	return ""
+}
+
 // Request returns the HTTP request.
 func (d *DoHWriter) Request() *http.Request {
 	return d.request

diff --git a/core/dnsserver/quic.go b/core/dnsserver/quic.go
@@ -2,6 +2,7 @@ package dnsserver
 
 import (
 	"encoding/binary"
+	"errors"
 	"net"
 
 	"github.com/miekg/dns"
@@ -11,11 +12,14 @@ import (
 type DoQWriter struct {
 	localAddr  net.Addr
 	remoteAddr net.Addr
-	stream     quic.Stream
+	stream     *quic.Stream
 	Msg        *dns.Msg
 }
 
 func (w *DoQWriter) Write(b []byte) (int, error) {
+	if w.stream == nil {
+		return 0, errors.New("stream is nil")
+	}
 	b = AddPrefix(b)
 	return w.stream.Write(b)
 }
@@ -40,6 +44,9 @@ func (w *DoQWriter) WriteMsg(m *dns.Msg) error {
 // mechanism that no further data will be sent on that stream.
 // See https://www.rfc-editor.org/rfc/rfc9250#section-4.2-7
 func (w *DoQWriter) Close() error {
+	if w.stream == nil {
+		return errors.New("stream is nil")
+	}
 	return w.stream.Close()
 }
 
@@ -58,3 +65,4 @@ func (w *DoQWriter) TsigTimersOnly(b bool) {}
 func (w *DoQWriter) Hijack()               {}
 func (w *DoQWriter) LocalAddr() net.Addr   { return w.localAddr }
 func (w *DoQWriter) RemoteAddr() net.Addr  { return w.remoteAddr }
+func (w *DoQWriter) Network() string       { return "" }