]> git.ipfire.org Git - thirdparty/pdns.git/commit
projects / thirdparty / pdns.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 04ea816) | patch
dnsdist: Add mitigations against misbehaving TCP/TLS clients
authorRemi Gacogne <remi.gacogne@powerdns.com>
Fri, 28 Mar 2025 14:52:08 +0000 (15:52 +0100)
committerRemi Gacogne <remi.gacogne@powerdns.com>
Mon, 31 Mar 2025 14:19:05 +0000 (16:19 +0200)
commitc5cabe15e4ae707b8360bc19c3043b2a6b6bff7f
treea6591fafdea1865cf149dea9f3a30a2e4f3f9b1btree
parent04ea8166312987a9f98b3c5c6c80d964c1815205commit | diff
dnsdist: Add mitigations against misbehaving TCP/TLS clients

This commit adds several mitigations against misbehaving TCP/TLS clients:
- when a client is near the limit of concurrent TCP connections it is
allowed to have, the number of DNS queries over a single TCP connection
is restricted to 1 and the idle timout is reduced to 500 ms
- the same restrictions are applied to all connections if the frontend
is near the limit of concurrent TCP connections
- a limit of 50 read I/O events per query is enforced on incoming TCP
connections, to prevent a connection from continuously sending very small
packets to keep the worker busy. Clients exceeding this limit can
be prevented from opening new TCP connections for a configurable
amount of time
- three new configurable rates are introduced: new TCP connections
per second per client, new TLS sessions per second per client,
resumed TLS sessions per secondper client. Clients exceeding these
rates can be prevented from opening new TCP connections for a
configurable amount of time
22 files changed:
pdns/dnsdistdist/Makefile.am diff | blob | blame | history
pdns/dnsdistdist/dnsdist-carbon.cc diff | blob | blame | history
pdns/dnsdistdist/dnsdist-concurrent-connections.cc [new file with mode: 0644] blob
pdns/dnsdistdist/dnsdist-concurrent-connections.hh diff | blob | blame | history
pdns/dnsdistdist/dnsdist-configuration.hh diff | blob | blame | history
pdns/dnsdistdist/dnsdist-console.cc diff | blob | blame | history
pdns/dnsdistdist/dnsdist-lua-configuration-items.cc diff | blob | blame | history
pdns/dnsdistdist/dnsdist-lua-inspection.cc diff | blob | blame | history
pdns/dnsdistdist/dnsdist-nghttp2-in.cc diff | blob | blame | history
pdns/dnsdistdist/dnsdist-rust-lib/dnsdist-configuration-yaml-items-generated.cc diff | blob | blame | history
pdns/dnsdistdist/dnsdist-rust-lib/rust/src/lib.rs diff | blob | blame | history
pdns/dnsdistdist/dnsdist-settings-definitions.yml diff | blob | blame | history
pdns/dnsdistdist/dnsdist-tcp-upstream.hh diff | blob | blame | history
pdns/dnsdistdist/dnsdist-tcp.cc diff | blob | blame | history
pdns/dnsdistdist/dnsdist-tcp.hh diff | blob | blame | history
pdns/dnsdistdist/dnsdist-web.cc diff | blob | blame | history
pdns/dnsdistdist/dnsdist.hh diff | blob | blame | history
pdns/dnsdistdist/docs/reference/tuning.rst diff | blob | blame | history
pdns/dnsdistdist/docs/reference/yaml-settings.rst diff | blob | blame | history
pdns/dnsdistdist/doh.cc diff | blob | blame | history
pdns/dnsdistdist/meson.build diff | blob | blame | history
regression-tests.dnsdist/test_TCPLimits.py diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.