[9.18] new: usr: Add a new option to configure the maximum number of …

…outgoing queries per client request The configuration option 'max-query-count' sets how many outgoing queries per client request is allowed. The existing 'max-recursion-queries' is the number of permissible queries for a single name and is reset on every CNAME redirection. This new option is a global limit on the client request. The default is 200. This allows us to send a bit more queries while looking up a single name. The default for 'max-recursion-queries' is changed from 32 to 50. Closes #4980 Closes #4921 Backport of MR !9737 Merge branch 'backport-4980-global-limit-outgoing-queries-9.18' into 'bind-9.18' See merge request isc-projects/bind9!9847
isc-projects · Dec 6, 2024 · 64b2b6e · 64b2b6e
2 parents 185503d + 84519c1
commit 64b2b6e
Show file tree

Hide file tree

Showing 36 changed files with 674 additions and 54 deletions.
diff --git a/bin/named/config.c b/bin/named/config.c
@@ -174,7 +174,8 @@ options {\n\
 	max-clients-per-query 100;\n\
 	max-ncache-ttl 10800; /* 3 hours */\n\
 	max-recursion-depth 7;\n\
-	max-recursion-queries 32;\n\
+	max-recursion-queries 50;\n\
+	max-query-count 200;\n\
 	max-query-restarts 11;\n\
 	max-stale-ttl 86400; /* 1 day */\n\
 	message-compression yes;\n\

diff --git a/bin/named/server.c b/bin/named/server.c
@@ -5678,6 +5678,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
 	INSIST(result == ISC_R_SUCCESS);
 	dns_view_setmaxrestarts(view, cfg_obj_asuint32(obj));
 
+	obj = NULL;
+	result = named_config_get(maps, "max-query-count", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_view_setmaxqueries(view, cfg_obj_asuint32(obj));
+
 	obj = NULL;
 	result = named_config_get(maps, "fetches-per-zone", &obj);
 	INSIST(result == ISC_R_SUCCESS);
@@ -7405,7 +7410,7 @@ tat_send(isc_task_t *task, isc_event_t *event) {
 	if (result == ISC_R_SUCCESS) {
 		result = dns_resolver_createfetch(
 			tat->view->resolver, tatname, dns_rdatatype_null,
-			domain, &nameservers, NULL, NULL, 0, 0, 0, NULL,
+			domain, &nameservers, NULL, NULL, 0, 0, 0, NULL, NULL,
 			tat->task, tat_done, tat, &tat->rdataset,
 			&tat->sigrdataset, &tat->fetch);
 	}

diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am
@@ -99,6 +99,7 @@ TESTS =				\
 	autosign		\
 	builtin			\
 	cacheclean		\
+	camp			\
 	case			\
 	catz			\
 	cds			\

diff --git a/bin/tests/system/camp/ns1/named.conf.in b/bin/tests/system/camp/ns1/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/camp/ns1/root.db b/bin/tests/system/camp/ns1/root.db
@@ -0,0 +1,51 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				600		; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+tld0.			NS	ns.tld0.
+ns.tld0.		A	10.53.0.2
+
+tld1.			NS	ns.tld1.
+ns.tld1.		A	10.53.0.2
+
+tld2.			NS	ns.tld2.
+ns.tld2.		A	10.53.0.2
+
+tld3.			NS	ns.tld3.
+ns.tld3.		A	10.53.0.2
+
+tld4.			NS	ns.tld4.
+ns.tld4.		A	10.53.0.2
+
+tld5.			NS	ns.tld5.
+ns.tld5.		A	10.53.0.2
+
+tld6.			NS	ns.tld6.
+ns.tld6.		A	10.53.0.2
+
+tld7.			NS	ns.tld7.
+ns.tld7.		A	10.53.0.2
+
+tld8.			NS	ns.tld8.
+ns.tld8.		A	10.53.0.2
+
+tld9.			NS	ns.tld9.
+ns.tld9.		A	10.53.0.2
diff --git a/bin/tests/system/camp/ns2/named.conf.in b/bin/tests/system/camp/ns2/named.conf.in
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+};
+
+zone "tld0" {
+	type primary;
+	file "tld0.db";
+};
diff --git a/bin/tests/system/camp/ns2/setup.sh b/bin/tests/system/camp/ns2/setup.sh
@@ -0,0 +1,57 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns2/setup.sh"
+
+cp template.db.in tld0.db
+echo "final.tld0. IN NS ns.final.tld0." >>tld0.db
+echo "ns.final.tld0. IN A 10.53.0.3" >>tld0.db
+
+DEPTH=5
+
+tld=1
+while [ $tld -le $DEPTH ]; do
+
+  cat >>"named.conf" <<EOF
+zone "tld${tld}" {
+        type primary;
+        file "tld${tld}.db";
+};
+EOF
+
+  cp template.db.in tld${tld}.db
+
+  label=0
+  while [ $label -le $DEPTH ]; do
+    echo "label${label}.tld${tld}. IN NS ns.label${label}.tld${tld}." >>tld${tld}.db
+    echo "ns.label${label}.tld${tld}. IN A 10.53.0.3" >>tld${tld}.db
+    echo "" >>tld${tld}.db
+
+    label=$((label + 1))
+  done
+
+  tld=$((tld + 1))
+done
+
+goto=1
+tld=1
+while [ $goto -le $DEPTH ]; do
+  echo "goto${goto}.tld${tld}. IN NS ns.goto${goto}.tld${tld}." >>tld${tld}.db
+  echo "ns.goto${goto}.tld${tld}. IN A 10.53.0.3" >>tld${tld}.db
+  echo "" >>tld${tld}.db
+
+  goto=$((goto + 1))
+done
diff --git a/bin/tests/system/camp/ns2/template.db.in b/bin/tests/system/camp/ns2/template.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns2
+ns2			A	10.53.0.2
+			NS	ns
+ns			A	10.53.0.2
+
+; camp attack
diff --git a/bin/tests/system/camp/ns3/named.conf.in b/bin/tests/system/camp/ns3/named.conf.in
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation no;
+
+	max-query-count 150;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "final.tld0" {
+	type primary;
+	file "final.tld0.db";
+};
diff --git a/bin/tests/system/camp/ns3/setup.sh b/bin/tests/system/camp/ns3/setup.sh
@@ -0,0 +1,79 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+cp template.db.in final.tld0.db
+echo "q.final.tld0. IN A 1.2.3.4" >>final.tld0.db
+
+DEPTH=5
+
+tld=1
+while [ $tld -le $DEPTH ]; do
+  nexttld=$((tld + 1))
+
+  label=1
+  while [ $label -le $DEPTH ]; do
+    nextlabel=$((label + 1))
+
+    cat >>"named.conf" <<EOF
+zone "label${label}.tld${tld}" {
+        type primary;
+        file "label${label}.tld${tld}.db";
+};
+EOF
+
+    cp template.db.in label${label}.tld${tld}.db
+
+    if [ $label -eq $DEPTH ] && [ $tld -eq $DEPTH ]; then
+      echo "q.label${label}.tld${tld}. IN CNAME q.goto1.tld1." >>label${label}.tld${tld}.db
+    elif [ $tld -eq $DEPTH ]; then
+      nextlabel=$((label + 1))
+      echo "q.label${label}.tld${tld}. IN CNAME q.label${nextlabel}.tld1." >>label${label}.tld${tld}.db
+    else
+      echo "q.label${label}.tld${tld}. IN CNAME q.label${label}.tld${nexttld}." >>label${label}.tld${tld}.db
+    fi
+
+    label=$nextlabel
+  done
+
+  echo "" >>label${label}.tld${tld}.db
+  tld=$nexttld
+done
+
+goto=1
+tld=1
+while [ $goto -le $DEPTH ]; do
+  nextgoto=$((goto + 1))
+
+  cat >>"named.conf" <<EOF
+zone "goto${goto}.tld${tld}" {
+        type primary;
+        file "goto${goto}.tld${tld}.db";
+};
+EOF
+
+  cp template.db.in goto${goto}.tld${tld}.db
+
+  if [ $goto -eq $DEPTH ]; then
+    echo "q.goto${goto}.tld${tld}. IN CNAME q.final.tld0." >>goto${goto}.tld${tld}.db
+  else
+    echo "q.goto${goto}.tld${tld}. IN CNAME q.goto${nextgoto}.tld${tld}." >>goto${goto}.tld${tld}.db
+  fi
+
+  echo "" >>label${label}.tld${tld}.db
+  goto=$nextgoto
+done
diff --git a/bin/tests/system/camp/ns3/template.db.in b/bin/tests/system/camp/ns3/template.db.in
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns
+			NS	ns3
+ns			A	10.53.0.3
+ns3			A	10.53.0.3
+
+; camp attack
-Original file line number
+Diff line change
@@ Expand Up / @@ -99,6 +99,7 @@ TESTS = \ @@
     	autosign		\
     	builtin			\
     	cacheclean		\
+    	camp			\
     	case			\
     	catz			\
     	cds			\
@@ Expand Down @@