diff --git a/coredns/Dockerfile b/coredns/Dockerfile
index e686aab..88c0394 100644
--- a/coredns/Dockerfile
+++ b/coredns/Dockerfile
@@ -12,12 +12,23 @@
 # not yet exist. Building this image will fail until Phase 1 ships.
 
 # ─── Stage 1: builder ──────────────────────────────────────────────
-FROM golang:1.22-alpine AS builder
+FROM golang:1.25-alpine AS builder
+
+# GOTOOLCHAIN=auto lets `go` download a newer toolchain on demand if
+# go.mod (ours OR a transitive dep's) specifies a Go version newer
+# than the base image. Belt-and-suspenders so an upstream version
+# bump doesn't break this Dockerfile.
+ENV GOTOOLCHAIN=auto
+# Bypass the public Go module proxy. Our plugin lives on a private
+# Gitea instance, which proxy.golang.org won't (and shouldn't) cache.
+# direct = go talks to the upstream VCS for every module fetch.
+ENV GOPROXY=direct
+ENV GOSUMDB=off
 
 RUN apk add --no-cache git make
 
 WORKDIR /build
-ARG COREDNS_REF=v1.12.2
+ARG COREDNS_REF=v1.14.3
 RUN git clone --depth 1 --branch ${COREDNS_REF} https://github.com/coredns/coredns.git .
 
 # Inject our plugin into plugin.cfg. Must come BEFORE the `cache` plugin
@@ -27,7 +38,12 @@ ARG PLUGIN_REF=latest
 RUN sed -i "/^cache:cache$/i rfc2136:${PLUGIN_REPO}" plugin.cfg && \
     go get ${PLUGIN_REPO}@${PLUGIN_REF}
 
-RUN make GOFLAGS="-ldflags=-w -s"
+# Go's GOFLAGS env splits on whitespace and doesn't honour shell quoting
+# in a way that survives a Dockerfile RUN, so passing
+# `-ldflags="-w -s"` breaks parsing. We let `make` use its defaults;
+# the resulting binary is ~10 MB larger than a stripped build but
+# works correctly and is what upstream CoreDNS ships.
+RUN make
 
 # ─── Stage 2: runtime ──────────────────────────────────────────────
 FROM gcr.io/distroless/static-debian12