Articles

Restrict DNS Query Access with the CoreDNS ACL Plugin (2026)

April 16, 2026 3 min read

The CoreDNS acl plugin allows you to restrict DNS query access based on client IP addresses.

Let’s see it in action. Imagine a common scenario: you have a CoreDNS server acting as the internal DNS resolver for your company, and you want to ensure that only clients within your private network can query it for internal zone records. External clients should be blocked from querying these specific zones.

Here’s a simplified Corefile snippet demonstrating this:

.:53 {
    acl {
        acl.allow internal_clients {
            zone example.com
            client 192.168.1.0/24
            client 10.0.0.0/8
        }
        acl.block all_other_clients {
            zone example.com
        }
    }
    forward . 8.8.8.8
    cache 30
    reload
}

In this configuration:

  • The acl block defines access control rules.
  • acl.allow internal_clients specifies that clients from the 192.168.1.0/24 and 10.0.0.0/8 networks are allowed to query the example.com zone.
  • acl.block all_other_clients then explicitly blocks any other client attempting to query the example.com zone.
  • The forward . 8.8.8.8 line is a fallback for other queries, forwarding them to Google’s public DNS.
  • cache 30 caches responses for 30 seconds.
  • reload allows the Corefile to be reloaded without restarting the server.

The acl plugin works by processing rules in the order they appear in the Corefile. When a query arrives, CoreDNS checks if it matches any of the acl.allow or acl.block stanzas for the zone being queried. If a match is found, the action (allow or block) is taken immediately. If no specific rule matches for a zone, the query is allowed to proceed to the next plugin in the chain. This sequential processing is crucial for understanding how your access control policies are enforced.

The primary problem this solves is preventing unauthorized access to internal DNS records, which could otherwise be a vector for information leakage or denial-of-service attacks against your internal infrastructure. By defining granular access rules, you enhance your network’s security posture. You can also use it to restrict access to specific DNS resolvers, ensuring that only trusted clients can utilize your internal DNS services for critical lookups.

A subtle but powerful aspect of the acl plugin is its interaction with other plugins. For instance, if you have a rewrite plugin that modifies queries before the acl plugin, your access control might not behave as expected. The acl plugin evaluates based on the original client IP and the original query, but the rewrite might alter the query itself. Conversely, if acl is placed after a plugin that changes the client IP (which is uncommon but possible with custom plugins or specific network configurations), your rules would be evaluated against the wrong source. Always consider the order of plugins in your Corefile and how they might affect the data the acl plugin sees.

The next concept you’ll likely encounter is managing more complex network topologies and conditional access, possibly leading you to explore the geoip or remote plugins for more dynamic access control.

Want structured learning?

Take the full Coredns course →