Merge commit from fork

Add configurable resource limits to prevent potential DoS vectors
via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers.

New configuration plugins:
- grpc_server: configure max_streams, max_connections
- https: configure max_connections
- https3: configure max_streams

Changes:
- Use netutil.LimitListener for connection limiting
- Use gRPC MaxConcurrentStreams and message size limits
- Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting
- Set secure defaults: 256 max streams, 200 max connections
- Setting any limit to 0 means unbounded/fallback to previous impl

Defaults are applied automatically when plugins are omitted from
config.

Includes tests and integration tests.

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>

test/grpc_test.go

@@ -2,19 +2,40 @@ package test
 
 import (
 	"context"
+	"crypto/tls"
+	"net"
 	"testing"
+	"time"
 
 	"github.com/coredns/coredns/pb"
 
 	"github.com/miekg/dns"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
+var grpcCorefile = `grpc://.:0 {
+	whoami
+}`
+
+var grpcLimitCorefile = `grpc://.:0 {
+	grpc_server {
+		max_streams 2
+	}
+	whoami
+}`
+
+var grpcConnectionLimitCorefile = `grpc://.:0 {
+	tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem ../plugin/tls/test_ca.pem
+	grpc_server {
+		max_connections 2
+	}
+	whoami
+}`
+
 func TestGrpc(t *testing.T) {
-	corefile := `grpc://.:0 {
-		whoami
-	}`
+	corefile := grpcCorefile
 
 	g, _, tcp, err := CoreDNSServerAndPorts(corefile)
 	if err != nil {
@@ -53,3 +74,127 @@ func TestGrpc(t *testing.T) {
 		t.Errorf("Expected 2 RRs in additional section, but got %d", len(d.Extra))
 	}
 }
+
+// TestGRPCWithLimits tests that the server starts and works with configured limits
+func TestGRPCWithLimits(t *testing.T) {
+	g, _, tcp, err := CoreDNSServerAndPorts(grpcLimitCorefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer g.Stop()
+
+	conn, err := grpc.NewClient(tcp, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		t.Fatalf("Expected no error but got: %s", err)
+	}
+	defer conn.Close()
+
+	client := pb.NewDnsServiceClient(conn)
+
+	m := new(dns.Msg)
+	m.SetQuestion("whoami.example.org.", dns.TypeA)
+	msg, _ := m.Pack()
+
+	reply, err := client.Query(context.Background(), &pb.DnsPacket{Msg: msg})
+	if err != nil {
+		t.Fatalf("Query failed: %s", err)
+	}
+
+	d := new(dns.Msg)
+	if err := d.Unpack(reply.GetMsg()); err != nil {
+		t.Fatalf("Failed to unpack: %s", err)
+	}
+
+	if d.Rcode != dns.RcodeSuccess {
+		t.Errorf("Expected success but got %d", d.Rcode)
+	}
+}
+
+// TestGRPCConnectionLimit tests that connection limits are enforced
+func TestGRPCConnectionLimit(t *testing.T) {
+	g, _, tcp, err := CoreDNSServerAndPorts(grpcConnectionLimitCorefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer g.Stop()
+
+	const maxConns = 2
+
+	// Create TLS connections to hold them open
+	tlsConfig := &tls.Config{InsecureSkipVerify: true}
+	conns := make([]net.Conn, 0, maxConns+1)
+	defer func() {
+		for _, c := range conns {
+			c.Close()
+		}
+	}()
+
+	// Open connections up to the limit - these should succeed
+	for i := range maxConns {
+		conn, err := tls.Dial("tcp", tcp, tlsConfig)
+		if err != nil {
+			t.Fatalf("Connection %d failed (should succeed): %v", i+1, err)
+		}
+		conns = append(conns, conn)
+	}
+
+	// Try to open more connections beyond the limit - should timeout
+	conn, err := tls.DialWithDialer(
+		&net.Dialer{Timeout: 100 * time.Millisecond},
+		"tcp", tcp, tlsConfig,
+	)
+	if err == nil {
+		conn.Close()
+		t.Fatal("Connection beyond limit should have timed out")
+	}
+
+	// Close one connection and verify a new one can be established
+	conns[0].Close()
+	conns = conns[1:]
+
+	time.Sleep(10 * time.Millisecond)
+
+	conn, err = tls.Dial("tcp", tcp, tlsConfig)
+	if err != nil {
+		t.Fatalf("Connection after freeing slot failed: %v", err)
+	}
+	conns = append(conns, conn)
+}
+
+// TestGRPCTLSWithLimits tests that gRPC with TLS starts and works with configured limits
+func TestGRPCTLSWithLimits(t *testing.T) {
+	g, _, tcp, err := CoreDNSServerAndPorts(grpcConnectionLimitCorefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer g.Stop()
+
+	tlsConfig := &tls.Config{InsecureSkipVerify: true}
+	creds := credentials.NewTLS(tlsConfig)
+
+	conn, err := grpc.NewClient(tcp, grpc.WithTransportCredentials(creds))
+	if err != nil {
+		t.Fatalf("Expected no error but got: %s", err)
+	}
+	defer conn.Close()
+
+	client := pb.NewDnsServiceClient(conn)
+
+	m := new(dns.Msg)
+	m.SetQuestion("whoami.example.org.", dns.TypeA)
+	msg, _ := m.Pack()
+
+	reply, err := client.Query(context.Background(), &pb.DnsPacket{Msg: msg})
+	if err != nil {
+		t.Fatalf("Query failed: %s", err)
+	}
+
+	d := new(dns.Msg)
+	if err := d.Unpack(reply.GetMsg()); err != nil {
+		t.Fatalf("Failed to unpack: %s", err)
+	}
+
+	if d.Rcode != dns.RcodeSuccess {
+		t.Errorf("Expected success but got %d", d.Rcode)
+	}
+}

test/https3_test.go

@@ -0,0 +1,145 @@
+package test
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"io"
+	"net/http"
+	"testing"
+	"time"
+
+	ctls "github.com/coredns/coredns/plugin/pkg/tls"
+
+	"github.com/miekg/dns"
+	"github.com/quic-go/quic-go/http3"
+)
+
+var https3Corefile = `https3://.:0 {
+	tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem ../plugin/tls/test_ca.pem
+	whoami
+}`
+
+var https3LimitCorefile = `https3://.:0 {
+	tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem ../plugin/tls/test_ca.pem
+	https3 {
+		max_streams 2
+	}
+	whoami
+}`
+
+func generateHTTPS3TLSConfig() *tls.Config {
+	tlsConfig, err := ctls.NewTLSConfig(
+		"../plugin/tls/test_cert.pem",
+		"../plugin/tls/test_key.pem",
+		"../plugin/tls/test_ca.pem")
+
+	if err != nil {
+		panic(err)
+	}
+
+	tlsConfig.InsecureSkipVerify = true
+
+	return tlsConfig
+}
+
+func TestHTTPS3(t *testing.T) {
+	s, udp, _, err := CoreDNSServerAndPorts(https3Corefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer s.Stop()
+
+	// Create HTTP/3 client
+	transport := &http3.Transport{
+		TLSClientConfig: generateHTTPS3TLSConfig(),
+	}
+	defer transport.Close()
+
+	client := &http.Client{
+		Transport: transport,
+		Timeout:   5 * time.Second,
+	}
+
+	// Create DNS query
+	m := new(dns.Msg)
+	m.SetQuestion("whoami.example.org.", dns.TypeA)
+	msg, err := m.Pack()
+	if err != nil {
+		t.Fatalf("Failed to pack DNS message: %v", err)
+	}
+
+	// Make DoH3 request - use UDP address for HTTP/3
+	url := "https://" + convertAddress(udp) + "/dns-query"
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodPost, url, bytes.NewReader(msg))
+	if err != nil {
+		t.Fatalf("Failed to create request: %v", err)
+	}
+	req.Header.Set("Content-Type", "application/dns-message")
+	req.Header.Set("Accept", "application/dns-message")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("Failed to make request: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("Expected status 200, got %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("Failed to read response: %v", err)
+	}
+
+	d := new(dns.Msg)
+	err = d.Unpack(body)
+	if err != nil {
+		t.Fatalf("Failed to unpack response: %v", err)
+	}
+
+	if d.Rcode != dns.RcodeSuccess {
+		t.Errorf("Expected success but got %d", d.Rcode)
+	}
+
+	if len(d.Extra) != 2 {
+		t.Errorf("Expected 2 RRs in additional section, but got %d", len(d.Extra))
+	}
+}
+
+// TestHTTPS3WithLimits tests that the server starts and works with configured limits
+func TestHTTPS3WithLimits(t *testing.T) {
+	s, udp, _, err := CoreDNSServerAndPorts(https3LimitCorefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer s.Stop()
+
+	transport := &http3.Transport{
+		TLSClientConfig: generateHTTPS3TLSConfig(),
+	}
+	defer transport.Close()
+
+	client := &http.Client{
+		Transport: transport,
+		Timeout:   5 * time.Second,
+	}
+
+	m := new(dns.Msg)
+	m.SetQuestion("whoami.example.org.", dns.TypeA)
+	msg, _ := m.Pack()
+
+	req, _ := http.NewRequestWithContext(context.Background(), http.MethodPost, "https://"+convertAddress(udp)+"/dns-query", bytes.NewReader(msg))
+	req.Header.Set("Content-Type", "application/dns-message")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("Request failed: %s", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("Expected status 200, got %d", resp.StatusCode)
+	}
+}

test/https_test.go

@@ -0,0 +1,177 @@
+package test
+
+import (
+	"bytes"
+	"crypto/tls"
+	"io"
+	"net"
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/miekg/dns"
+)
+
+var httpsCorefile = `https://.:0 {
+	tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem ../plugin/tls/test_ca.pem
+	whoami
+}`
+
+var httpsLimitCorefile = `https://.:0 {
+	tls ../plugin/tls/test_cert.pem ../plugin/tls/test_key.pem ../plugin/tls/test_ca.pem
+	https {
+		max_connections 2
+	}
+	whoami
+}`
+
+func TestHTTPS(t *testing.T) {
+	s, _, tcp, err := CoreDNSServerAndPorts(httpsCorefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer s.Stop()
+
+	// Create HTTPS client with TLS config
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true,
+	}
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: tlsConfig,
+		},
+		Timeout: 5 * time.Second,
+	}
+
+	// Create DNS query
+	m := new(dns.Msg)
+	m.SetQuestion("whoami.example.org.", dns.TypeA)
+	msg, err := m.Pack()
+	if err != nil {
+		t.Fatalf("Failed to pack DNS message: %v", err)
+	}
+
+	// Make DoH request
+	url := "https://" + tcp + "/dns-query"
+	req, err := http.NewRequest(http.MethodPost, url, bytes.NewReader(msg))
+	if err != nil {
+		t.Fatalf("Failed to create request: %v", err)
+	}
+	req.Header.Set("Content-Type", "application/dns-message")
+	req.Header.Set("Accept", "application/dns-message")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("Failed to make request: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("Expected status 200, got %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf("Failed to read response: %v", err)
+	}
+
+	d := new(dns.Msg)
+	err = d.Unpack(body)
+	if err != nil {
+		t.Fatalf("Failed to unpack response: %v", err)
+	}
+
+	if d.Rcode != dns.RcodeSuccess {
+		t.Errorf("Expected success but got %d", d.Rcode)
+	}
+
+	if len(d.Extra) != 2 {
+		t.Errorf("Expected 2 RRs in additional section, but got %d", len(d.Extra))
+	}
+}
+
+// TestHTTPSWithLimits tests that the server starts and works with configured limits
+func TestHTTPSWithLimits(t *testing.T) {
+	s, _, tcp, err := CoreDNSServerAndPorts(httpsLimitCorefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer s.Stop()
+
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		},
+		Timeout: 5 * time.Second,
+	}
+
+	m := new(dns.Msg)
+	m.SetQuestion("whoami.example.org.", dns.TypeA)
+	msg, _ := m.Pack()
+
+	req, _ := http.NewRequest(http.MethodPost, "https://"+tcp+"/dns-query", bytes.NewReader(msg))
+	req.Header.Set("Content-Type", "application/dns-message")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("Request failed: %s", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("Expected status 200, got %d", resp.StatusCode)
+	}
+}
+
+// TestHTTPSConnectionLimit tests that connection limits are enforced
+func TestHTTPSConnectionLimit(t *testing.T) {
+	s, _, tcp, err := CoreDNSServerAndPorts(httpsLimitCorefile)
+	if err != nil {
+		t.Fatalf("Could not get CoreDNS serving instance: %s", err)
+	}
+	defer s.Stop()
+
+	const maxConns = 2
+	const totalConns = 4
+
+	// Create raw TLS connections to hold them open
+	conns := make([]net.Conn, 0, totalConns)
+	defer func() {
+		for _, c := range conns {
+			c.Close()
+		}
+	}()
+
+	// Open connections up to the limit - these should succeed
+	for i := range maxConns {
+		conn, err := tls.Dial("tcp", tcp, &tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			t.Fatalf("Connection %d failed (should succeed): %v", i+1, err)
+		}
+		conns = append(conns, conn)
+	}
+
+	// Try to open more connections beyond the limit
+	// The LimitListener blocks Accept() until a slot is free, so Dial with timeout should fail
+	conn, err := tls.DialWithDialer(
+		&net.Dialer{Timeout: 100 * time.Millisecond},
+		"tcp", tcp,
+		&tls.Config{InsecureSkipVerify: true},
+	)
+	if err == nil {
+		conn.Close()
+		t.Fatal("Connection beyond limit should have timed out")
+	}
+
+	// Close one connection and verify a new one can be established
+	conns[0].Close()
+	conns = conns[1:]
+
+	time.Sleep(10 * time.Millisecond) // Give the listener time to accept
+
+	conn, err = tls.Dial("tcp", tcp, &tls.Config{InsecureSkipVerify: true})
+	if err != nil {
+		t.Fatalf("Connection after freeing slot failed: %v", err)
+	}
+	conns = append(conns, conn)
+}