]> git.ipfire.org Git - thirdparty/bind9.git/commit
projects / thirdparty / bind9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1c390aa) | patch
Limit the number of addresses returned per ADB find
authorColin Vidal <colin@isc.org>
Thu, 5 Feb 2026 08:46:01 +0000 (09:46 +0100)
committerMichał Kępień <michal@isc.org>
Thu, 7 May 2026 11:09:18 +0000 (13:09 +0200)
commit1bedd7f2441f2d81f2f45b9bfd5c2853d3f44e5c
tree110249105ca685e9d31c80e786183e8f9981eb19tree | snapshot
parent1c390aacaedaf788a04ba053758c1b7f53673f0bcommit | diff
Limit the number of addresses returned per ADB find

Add a hard limit on the number of addresses that ADB returns from a
single NS lookup (dns_adbfind_t).  This mitigates a flood attack
where an attacker controls a zone with many addresses for a
nameserver, each returning an invalid response.  The global
max-query count (default 50) also limits this, but significant harm
can be done before that limit is reached.

The default limit is now 6 (v4 and/or v6) addresses for an ADB find (so,
ADB looking up for A/AAAA addresses of a name server name). It can be
overridden for testing via 'named -T adbaddrslimit=N'.

(cherry picked from commit 3ec37fc69356ee682bee7f67940613ac31d93d7b)
bin/named/main.c diff | blob | blame | history
lib/dns/adb.c diff | blob | blame | history
Mirror of https://gitlab.isc.org/isc-projects/bind9.git