Extend the tsig plugin to require TSIG signatures based on DNS opcodes,
similar to the existing qtype-based requirement.
The new require_opcode directive accepts opcode names (QUERY, IQUERY,
STATUS, NOTIFY, UPDATE) or the special values "all" and "none".
This is useful for requiring TSIG on dynamic update (UPDATE) or zone
transfer notification (NOTIFY) requests while allowing unsigned queries.
Example:
```
tsig {
secret key. NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk=
require_opcode UPDATE NOTIFY
}
```
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
* plugin/transfter: Fix longestMatch to select the most specific zone correctly.
This PR Fix longestMatch to select the most specific zone correctly.The previous implementation used lexicographic string comparison, which could choose the wrong zone; this change selects the longest matching zone instead.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Tie breaker
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* core: Reject oversized GET dns query parameter of DoH
The DoH POST path limits request size using http.MaxBytesReader(..., 65536), but the GET path passes the dns query value directly to base64ToMsg() with no equivalent bound.
This PR adds length check.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR fixes Fix case-sensitive zone handling in the transfer plugin for AXFR/IXFR, raised in 7898
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Replace github.com/matttproud/golang_protobuf_extensions/pbutil
with google.golang.org/protobuf/encoding/protodelim for reading
varint size-delimited protobuf messages in the metrics scraper.
The new protodelim package is already available via the existing
google.golang.org/protobuf dependency, so this removes pbutil as
a direct dependency entirely.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* plugin/pkg/proxy: add max_age for per-connection lifetime cap
Introduce a max_age setting on Transport that closes connections based
on creation time, independent of idle-timeout (expire).
Background: PR #7790 changed the connection pool from LIFO to FIFO for
source-port diversity. Under FIFO, every connection is cycled through
the pool and its used timestamp is refreshed continuously. When request
rate is high enough that pool_size / request_rate < expire, no
connection ever becomes idle and expire never fires. This prevents
CoreDNS from opening new connections to upstreams that scale out (e.g.
new Kubernetes pods behind a ClusterIP service with conntrack pinning).
max_age addresses this by enforcing an absolute upper bound on
connection lifetime regardless of activity:
- persistConn gains a created field set at dial time.
- Transport gains maxAge (default 0 = unlimited, preserving existing
behaviour).
- Dial(): rejects cached connections whose creation age exceeds max_age.
- cleanup(): when maxAge > 0, uses a linear scan over both idle-timeout
and max-age predicates; when maxAge == 0, preserves the original
binary-search path on used time (sorted by FIFO insertion order).
- Both hot paths pre-compute the deadline outside any inner loop to
avoid repeated time.Now() calls.
Tests added:
- TestMaxAgeExpireByCreation: connection with old created but fresh used
must be rejected even though idle-timeout would pass.
- TestMaxAgeFIFORotation: three FIFO-rotated connections (old created,
fresh used) must all be rejected, confirming that continuous rotation
cannot prevent max-age expiry.
Signed-off-by: cangming <cangming@cangming.app>
* plugin/forward: add max_age option
Expose Transport.SetMaxAge through the forward plugin so operators can
set an absolute upper bound on connection lifetime via the Corefile.
Usage:
forward . 1.2.3.4 {
max_age 30s
}
Default is 0 (unlimited), which preserves existing behaviour.
A positive value causes connections older than max_age to be closed and
re-dialled on the next request, ensuring CoreDNS reconnects to newly
scaled-out upstream pods even under sustained load where the idle
timeout (expire) would never fire.
If max_age is set, it must not be less than expire; the parser rejects
this combination at startup with a clear error message.
Signed-off-by: cangming <cangming@cangming.app>
---------
Signed-off-by: cangming <cangming@cangming.app>
* feat(secondary): Send NOTIFY messages after zone transfer
- Modified TransferIn() method to accept a transfer.Transfer parameter
- Added NOTIFY message sending after successful zone transfer in secondary plugin
- Updated Update() method to pass the transfer handler through the zone update cycle
- Added comprehensive tests for the secondary notify functionality
Closes#5669
Signed-off-by: liucongran <liucongran327@gmail.com>
* fix(secondary): Fix TransferIn method call in test
Update test to pass nil parameter to TransferIn method after signature change
Signed-off-by: liucongran <liucongran327@gmail.com>
* refactor(secondary): Clean up imports and add helper methods
- Reorder imports for consistency
- Add hasSOA() and getSOA() helper methods to Zone
- Remove unnecessary blank lines in tests
Signed-off-by: liucongran <liucongran327@gmail.com>
* fix(test): Fix variable declaration in secondary test
Change corefile variable assignment to use short declaration syntax (:=)
to fix compilation error.
Signed-off-by: liucongran <liucongran327@gmail.com>
* refactor(secondary): Use getSOA helper method in shouldTransfer
Replace direct SOA access with getSOA() helper method for consistency.
Signed-off-by: liucongran <liucongran327@gmail.com>
---------
Signed-off-by: liucongran <liucongran327@gmail.com>
Co-authored-by: liucongran <liucongran@cestc.cn>
- Added nolint to plugin/auto/walk.go to avoid a symlink/TOCTOU
warning, as it needs to follow symlink.
- Replaced a few flagged integer conversions with safe equivalents in
cache hashing, reuseport socket setup, and TLS arg handling
- Preallocated response rule slices in plugin/rewrite/name.go
- Replaced WriteString(fmt.Sprintf/Sprintln(...)) with direct
fmt.Fprint* calls
- Removed stale nolint directives from code and tests that are no
longer needed
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* fix(rewrite): fix cname target rewrite for CNAME chains
This fix corrects the cname target rewrite to handle CNAME chains:
- Preserves only the CNAME records before matching the rule
- Rewrites only the CNAME target that matches the rule
- Includes all records from the re-resolved upstream response
Signed-off-by: hide <hide@hide.net.eu.org>
* docs(rewrite): document how answer records are handled in CNAME target rewrite
Signed-off-by: hide <hide@hide.net.eu.org>
* fix(rewrite): simplify slice append per staticcheck S1011
Signed-off-by: hide <hide@hide.net.eu.org>
* docs(rewrite): add extra line between code and paragraph
Signed-off-by: hide <hide@hide.net.eu.org>
---------
Signed-off-by: hide <hide@hide.net.eu.org>
Co-authored-by: hide <hide@hide.net.eu.org>
* fix: return SOA and NS records when queried for a record CNAMEd to origin
Signed-off-by: Shiv Tyagi <shivtyagi3015@gmail.com>
* chore(test): add test for covering cname to origin scenario in file plugin
Signed-off-by: Shiv Tyagi <shivtyagi3015@gmail.com>
---------
Signed-off-by: Shiv Tyagi <shivtyagi3015@gmail.com>
* perf(proxy): use mutex-based connection pool
The proxy package (used for example by the forward plugin) utilized
an actor model where a single connManager goroutine managed
connection pooling via unbuffered channels (dial, yield, ret). This
design serialized all connection acquisition and release operations
through a single goroutine, creating a bottleneck under high
concurrency. This was observable as a performance degradation when
using a single upstream backend compared to multiple backends
(which sharded the bottleneck).
Changes:
- Removed dial, yield, and ret channels from the Transport struct.
- Removed the connManager goroutine's request processing loop.
- Implemented Dial() and Yield() using a sync.Mutex to protect the
connection slice, allowing for fast concurrent access without
context switching.
- Downgraded connManager to a simple background cleanup loop that
only handles connection expiration on a ticker.
- Updated plugin/pkg/proxy/connect.go to use direct method calls
instead of channel sends.
- Updated tests to reflect the removal of internal channels.
Benchmarks show that this change eliminates the single-backend
bottleneck. Now a single upstream backend performs on par with
multiple backends, and overall throughput is improved.
The implementation aligns with standard Go patterns for connection
pooling (e.g., net/http.Transport).
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* fix: address PR review for persistent.go
- Named mutex field instead of embedding, to not expose
Lock() and Unlock()
- Move stop check outside of lock in Yield()
- Close() without a separate goroutine
- Change stop channel to struct
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* fix: address code review feedback for conn pool
- Switch from LIFO to FIFO connection selection for source port
diversity, reducing DNS cache poisoning risk (RFC 5452).
- Remove "clear entire cache" optimization as it was LIFO-specific.
FIFO naturally iterates and skips expired connections.
- Remove all goroutines for closing connections; collect connections
while holding lock, close synchronously after releasing lock.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* fix: remove unused error consts
No longer utilised after refactoring the channel based approach.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* feat(forward): add max_idle_conns option
Add configurable connection pool limit for the forward plugin via
the max_idle_conns Corefile option.
Changes:
- Add SetMaxIdleConns to proxy
- Add maxIdleConns field to Forward struct
- Add max_idle_conns parsing in forward plugin setup
- Apply setting to each proxy during configuration
- Update forward plugin README with new option
By default the value is 0 (unbounded). When set, excess
connections returned to the pool are closed immediately
rather than cached.
Also add a yield related test.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* chore(proxy): simple Dial by closing conns inline
Remove toClose slice collection to reduce complexity. Instead close
expired connections directly while iterating. Reduces complexity with
negligible lock-time impact.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* chore: fewer explicit Unlock calls
Cleaner and less chance of forgetting to unlock on new possible
code paths.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
---------
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Replace http.Serve() with http.Server{} configured with timeouts to
address G114 gosec findings (HTTP server without timeouts). This
prevents potential slowloris attacks and resource exhaustion.
Changes:
- Add ReadTimeout, WriteTimeout, IdleTimeout (5s each) to HTTP servers
- Use srv.Shutdown(ctx) for graceful shutdown instead of ln.Close()
- Follow existing pattern from plugin/metrics
Fixes part of #7793
Signed-off-by: Azeez Syed <syedazeez337@gmail.com>
Remove expensive runtime.Caller calls from metrics Recorder.WriteMsg
by tracking the responding plugin through the plugin chain instead.
- Add PluginTracker interface and pluginWriter wrapper in plugin.go
- Modify NextOrFailure to wrap ResponseWriter with plugin name
- Update metrics Recorder to implement PluginTracker
- Remove authoritativePlugin method using filepath inspection
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Enable "gosec" linter.
Exclude:
- All G115 (integer overflow) findings, to be fixed separately.
Add targeted gosec annotations for:
- non-crypto math/rand usage
- md5 used only for file change detection
- G114 ("net/http serve with no timeout settings"), to be fixed
separately.
Other findings fixed.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
* Improve SOA error handling/reporting.
Signed-off-by: Ross Golder <ross@golder.org>
* Add tests for malformed SOA records
Signed-off-by: Ross Golder <ross@golder.org>
* Address review comments: assert exact parse errors in SOA tests and fix gofmt
Signed-off-by: Ross Golder <ross@golder.org>
---------
Signed-off-by: Ross Golder <ross@golder.org>
Add configurable resource limits to prevent potential DoS vectors
via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers.
New configuration plugins:
- grpc_server: configure max_streams, max_connections
- https: configure max_connections
- https3: configure max_streams
Changes:
- Use netutil.LimitListener for connection limiting
- Use gRPC MaxConcurrentStreams and message size limits
- Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting
- Set secure defaults: 256 max streams, 200 max connections
- Setting any limit to 0 means unbounded/fallback to previous impl
Defaults are applied automatically when plugins are omitted from
config.
Includes tests and integration tests.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
The test "TestDial_TransportStoppedDuringRetWait" replaced
tr.dial and tr.ret with test-controlled channels, then called
tr.Start(). Since connManager reads from t.dial, both the test
and connManager were racing to read from the same channel.
Remove tr.Start() since the test manually simulates connManager
behavior.
Also changed some test log formatting to align with other tests.
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
