mirror of
https://github.com/coredns/coredns.git
synced 2025-12-20 09:05:14 -05:00
0d8cbb1a6b
Add configurable resource limits to prevent potential DoS vectors via connection/stream exhaustion on gRPC, HTTPS, and HTTPS/3 servers. New configuration plugins: - grpc_server: configure max_streams, max_connections - https: configure max_connections - https3: configure max_streams Changes: - Use netutil.LimitListener for connection limiting - Use gRPC MaxConcurrentStreams and message size limits - Add QUIC MaxIncomingStreams for HTTPS/3 stream limiting - Set secure defaults: 256 max streams, 200 max connections - Setting any limit to 0 means unbounded/fallback to previous impl Defaults are applied automatically when plugins are omitted from config. Includes tests and integration tests. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
https3
Name
https3 - configures DNS-over-HTTPS/3 (DoH3) server options.
Description
The https3 plugin allows you to configure parameters for the DNS-over-HTTPS/3 (DoH3) server to fine-tune the security posture and performance of the server. HTTPS/3 uses QUIC as the underlying transport.
This plugin can only be used once per HTTPS3 listener block.
Syntax
https3 {
max_streams POSITIVE_INTEGER
}
max_streamslimits the number of concurrent QUIC streams per connection. This helps prevent unbounded streams on a single connection, exhausting server resources. The default value is 256 if not specified. Set to 0 to use underlying QUIC transport default.
Examples
Set custom limits for maximum streams:
https3://.:443 {
tls cert.pem key.pem
https3 {
max_streams 50
}
whoami
}
Set values to 0 for QUIC transport default, matching CoreDNS behaviour before v1.14.0:
https3://.:443 {
tls cert.pem key.pem
https3 {
max_streams 0
}
whoami
}