Merge commit from fork

Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2025-12-20 17:15:10 -05:00 · 2025-12-18 05:08:59 +02:00
parent 0fb05f225c
commit 0d8cbb1a6b
24 changed files with 1689 additions and 24 deletions
--- a/core/dnsserver/server_https.go
+++ b/core/dnsserver/server_https.go
@@ -18,15 +18,23 @@ import (
 	"github.com/coredns/coredns/plugin/pkg/response"
 	"github.com/coredns/coredns/plugin/pkg/reuseport"
 	"github.com/coredns/coredns/plugin/pkg/transport"
+
+	"golang.org/x/net/netutil"
+)
+
+const (
+	// DefaultHTTPSMaxConnections is the default maximum number of concurrent connections.
+	DefaultHTTPSMaxConnections = 200
 )

 // ServerHTTPS represents an instance of a DNS-over-HTTPS server.
 type ServerHTTPS struct {
 	*Server
-	httpsServer  *http.Server
-	listenAddr   net.Addr
-	tlsConfig    *tls.Config
-	validRequest func(*http.Request) bool
+	httpsServer    *http.Server
+	listenAddr     net.Addr
+	tlsConfig      *tls.Config
+	validRequest   func(*http.Request) bool
+	maxConnections int
 }

 // loggerAdapter is a simple adapter around CoreDNS logger made to implement io.Writer in order to log errors from HTTP server
@@ -81,8 +89,17 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
 		IdleTimeout:  s.IdleTimeout,
 		ErrorLog:     stdlog.New(&loggerAdapter{}, "", 0),
 	}
+	maxConnections := DefaultHTTPSMaxConnections
+	if len(group) > 0 && group[0] != nil && group[0].MaxHTTPSConnections != nil {
+		maxConnections = *group[0].MaxHTTPSConnections
+	}
+
 	sh := &ServerHTTPS{
-		Server: s, tlsConfig: tlsConfig, httpsServer: srv, validRequest: validator,
+		Server:         s,
+		tlsConfig:      tlsConfig,
+		httpsServer:    srv,
+		validRequest:   validator,
+		maxConnections: maxConnections,
 	}
 	sh.httpsServer.Handler = sh

@@ -98,9 +115,15 @@ func (s *ServerHTTPS) Serve(l net.Listener) error {
 	s.listenAddr = l.Addr()
 	s.m.Unlock()

+	// Wrap listener to limit concurrent connections (before TLS)
+	if s.maxConnections > 0 {
+		l = netutil.LimitListener(l, s.maxConnections)
+	}
+
 	if s.tlsConfig != nil {
 		l = tls.NewListener(l, s.tlsConfig)
 	}
+
 	return s.httpsServer.Serve(l)
 }