mirror of
https://github.com/coredns/coredns.git
synced 2025-12-19 16:45:11 -05:00
0d8cbb1a6b
Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
grpc_server
Name
grpc_server - configures DNS-over-gRPC server options.
Description
The grpc_server plugin allows you to configure parameters for the DNS-over-gRPC server to fine-tune the security posture and performance of the server.
This plugin can only be used once per gRPC listener block.
Syntax
grpc_server {
max_streams POSITIVE_INTEGER
max_connections POSITIVE_INTEGER
}
max_streamslimits the number of concurrent gRPC streams per connection. This helps prevent unbounded streams on a single connection, exhausting server resources. The default value is 256 if not specified. Set to 0 for unbounded.max_connectionslimits the number of concurrent TCP connections to the gRPC server. The default value is 200 if not specified. Set to 0 for unbounded.
Examples
Set custom limits for maximum streams and connections:
grpc://.:8053 {
tls cert.pem key.pem
grpc_server {
max_streams 50
max_connections 100
}
whoami
}
Set values to 0 for unbounded, matching CoreDNS behaviour before v1.14.0:
grpc://.:8053 {
tls cert.pem key.pem
grpc_server {
max_streams 0
max_connections 0
}
whoami
}