From: Andoni Duarte <andoni@isc.org>
Date: Wed, 15 Jan 2025 14:42:44 +0000 (+0000)
Subject: [CVE-2024-12705] sec: usr: DNS-over-HTTP(s) flooding fixes
X-Git-Tag: v9.21.4~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bddaff32104aa1163c5787bce35b58fe7dc27e85;p=thirdparty%2Fbind9.git

[CVE-2024-12705] sec: usr: DNS-over-HTTP(s) flooding fixes

Fix DNS-over-HTTP(S) implementation issues that arise under heavy
query load. Optimize resource usage for :iscman:`named` instances
that accept queries over DNS-over-HTTP(S).

Previously, :iscman:`named` would process all incoming HTTP/2 data
at once, which could overwhelm the server, especially when dealing
with clients that send requests but don't wait for responses. That
has been fixed. Now, :iscman:`named` handles HTTP/2 data in smaller
chunks and throttles reading until the remote side reads the
response data. It also throttles clients that send too many requests
at once.

Additionally, :iscman:`named` now carefully processes data sent by
some clients, which can be considered "flooding." It logs these
clients and drops connections from them.
:gl:`#4795`

In some cases, :iscman:`named` could leave DNS-over-HTTP(S)
connections in the `CLOSE_WAIT` state indefinitely. That also has
been fixed. ISC would like to thank JF Billaud for thoroughly
investigating the issue and verifying the fix.
:gl:`#5083`

See https://gitlab.isc.org/isc-projects/bind9/-/issues/4795

Closes https://gitlab.isc.org/isc-projects/bind9/-/issues/5083

Merge branch 'artem-improve-doh-resource-usage' into 'v9.21.4-release'

See merge request isc-private/bind9!732
---

bddaff32104aa1163c5787bce35b58fe7dc27e85