From 7ae1c40db200a29d8160707bcffb232c53a2005c Mon Sep 17 00:00:00 2001
From: YOUNEVSKY <77975903+younevsky@users.noreply.github.com>
Date: Wed, 25 Feb 2026 10:21:04 +0000
Subject: [PATCH] plugin/loop: use crypto/rand for query name generation
 (#7881)

---
 plugin/loop/setup.go | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/plugin/loop/setup.go b/plugin/loop/setup.go
index edef1b9de..6164aafe4 100644
--- a/plugin/loop/setup.go
+++ b/plugin/loop/setup.go
@@ -1,6 +1,8 @@
 package loop
 
 import (
+	"crypto/rand"
+	"math/big"
 	"net"
 	"strconv"
 	"time"
@@ -9,7 +11,6 @@ import (
 	"github.com/coredns/coredns/core/dnsserver"
 	"github.com/coredns/coredns/plugin"
 	"github.com/coredns/coredns/plugin/pkg/dnsutil"
-	"github.com/coredns/coredns/plugin/pkg/rand"
 )
 
 func init() { plugin.Register("loop", setup) }
@@ -82,12 +83,20 @@ func parse(c *caddy.Controller) (*Loop, error) {
 	return New(zones[0]), nil
 }
 
-// qname returns a random name. <rand.Int()>.<rand.Int().<zone>.
+// qname returns a secure random name: <random-int>.<random-int>.<zone>.
 func qname(zone string) string {
-	l1 := strconv.Itoa(r.Int())
-	l2 := strconv.Itoa(r.Int())
+	l1 := secureRandIntString()
+	l2 := secureRandIntString()
 
 	return dnsutil.Join(l1, l2, zone)
 }
 
-var r = rand.New(time.Now().UnixNano())
+func secureRandIntString() string {
+	// Generate a random 62-bit integer
+	n, err := rand.Int(rand.Reader, big.NewInt(1<<62))
+	if err != nil {
+		// Fallback to startup time in case rand.Reader is unavailable
+		return strconv.FormatInt(time.Now().UnixNano(), 10)
+	}
+	return n.String()
+}