Limit the number of addresses returned per ADB find

Add a hard limit on the number of addresses that ADB returns from a
single NS lookup (dns_adbfind_t).  This mitigates a flood attack
where an attacker controls a zone with many addresses for a
nameserver, each returning an invalid response.  The global
max-query count (default 50) also limits this, but significant harm
can be done before that limit is reached.

The default limit is now 6 (v4 and/or v6) addresses for an ADB find (so,
ADB looking up for A/AAAA addresses of a name server name). It can be
overridden for testing via 'named -T adbaddrslimit=N'.

(cherry picked from commit 3ec37fc69356ee682bee7f67940613ac31d93d7b)

diff --git a/bin/named/main.c b/bin/named/main.c
index df47e8d667d8db3d8bdd5d11a4651ca460b8599a..ddd43c9b2cc8e437b79ac447f8fa6325769f9ba8 100644 (file)
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -114,6 +114,8 @@ extern unsigned int dns_zone_mkey_hour;
 extern unsigned int dns_zone_mkey_day;
 extern unsigned int dns_zone_mkey_month;
 
+extern size_t dns_adb_addrslimit;
+
 static bool want_stats = false;
 static char program_name[NAME_MAX] = "named";
 static char absolute_conffile[PATH_MAX];
@@ -805,6 +807,13 @@ parse_T_opt(char *option) {
                transferstuck = true;
        } else if (!strncmp(option, "tat=", 4)) {
                named_g_tat_interval = atoi(option + 4);
+       } else if (!strncmp(option, "adbaddrslimit=", 14)) {
+               size_t adb_addrslimit = atoi(option + 14);
+               if (adb_addrslimit < 1) {
+                       named_main_earlyfatal("adbaddrslimit must be at "
+                                             "least 1");
+               }
+               dns_adb_addrslimit = adb_addrslimit;
        } else {
                fprintf(stderr, "unknown -T flag '%s'\n", option);
        }

diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 955ecc09f52442636dc83fd52f526c8940eec088..87fc357cd880c54eea28e5e65312defa48ecf560 100644 (file)
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -86,6 +86,15 @@
 
 #define DNS_ADB_MINADBSIZE (1024U * 1024U) /*%< 1 Megabyte */
 
+/*
+ * Default and override for the per-find address limit, the sum of the number of
+ * A and AAAA RR from an ADB NS name resolution.  When non-zero, this value is
+ * used instead of the default.  Can be set via 'named -T adbaddrslimit=N' for
+ * testing.
+ */
+#define DEFAULT_ADDRSLIMIT 6
+size_t dns_adb_addrslimit = 0;
+
 typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
 typedef struct dns_adbnamehook dns_adbnamehook_t;
 typedef ISC_LIST(dns_adbnamehook_t) dns_adbnamehooklist_t;
@@ -2200,6 +2209,9 @@ copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find,
        dns_adbaddrinfo_t *addrinfo;
        dns_adbentry_t *entry;
        int bucket;
+       size_t count = 0;
+       size_t limit = dns_adb_addrslimit != 0 ? dns_adb_addrslimit
+                                              : DEFAULT_ADDRSLIMIT;
 
        bucket = DNS_ADB_INVALIDBUCKET;
 
@@ -2232,6 +2244,13 @@ copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find,
                        inc_entry_refcnt(adb, entry, false);
                        ISC_LIST_APPEND(find->list, addrinfo, publink);
                        addrinfo = NULL;
+
+                       if (++count >= limit) {
+                               DP(ISC_LOG_DEBUG(3), "skipping addresses");
+                               UNLOCK(&adb->entrylocks[bucket]);
+                               return;
+                       }
+
                nextv4:
                        UNLOCK(&adb->entrylocks[bucket]);
                        bucket = DNS_ADB_INVALIDBUCKET;
@@ -2267,6 +2286,13 @@ copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find,
                        inc_entry_refcnt(adb, entry, false);
                        ISC_LIST_APPEND(find->list, addrinfo, publink);
                        addrinfo = NULL;
+
+                       if (++count >= limit) {
+                               DP(ISC_LOG_DEBUG(3), "skipping addresses");
+                               UNLOCK(&adb->entrylocks[bucket]);
+                               return;
+                       }
+
                nextv6:
                        UNLOCK(&adb->entrylocks[bucket]);
                        bucket = DNS_ADB_INVALIDBUCKET;