|
 |
bd9435 |
From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001
|
|
|
bd9435 |
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
|
|
|
bd9435 |
Date: Thu, 8 Sep 2022 11:11:30 +0200
|
|
|
bd9435 |
Subject: [PATCH] Bound the amount of work performed for delegations
|
|
|
bd9435 |
|
|
|
bd9435 |
Limit the amount of database lookups that can be triggered in
|
|
|
bd9435 |
fctx_getaddresses() (i.e. when determining the name server addresses to
|
|
|
bd9435 |
query next) by setting a hard limit on the number of NS RRs processed
|
|
|
bd9435 |
for any delegation encountered. Without any limit in place, named can
|
|
|
bd9435 |
be forced to perform large amounts of database lookups per each query
|
|
|
bd9435 |
received, which severely impacts resolver performance.
|
|
|
bd9435 |
|
|
|
bd9435 |
The limit used (20) is an arbitrary value that is considered to be big
|
|
|
bd9435 |
enough for any sane DNS delegation.
|
|
|
bd9435 |
|
|
|
bd9435 |
(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
|
|
|
bd9435 |
---
|
|
|
bd9435 |
lib/dns/resolver.c | 12 ++++++++++++
|
|
|
bd9435 |
1 file changed, 12 insertions(+)
|
|
|
bd9435 |
|
|
|
bd9435 |
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
|
|
bd9435 |
index d2cf14bbc8..73a0ee9f77 100644
|
|
|
bd9435 |
--- a/lib/dns/resolver.c
|
|
|
bd9435 |
+++ b/lib/dns/resolver.c
|
|
|
bd9435 |
@@ -195,6 +195,12 @@
|
|
|
bd9435 |
*/
|
|
|
bd9435 |
#define NS_FAIL_LIMIT 4
|
|
|
bd9435 |
#define NS_RR_LIMIT 5
|
|
|
bd9435 |
+/*
|
|
|
bd9435 |
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
|
|
|
bd9435 |
+ * any NS RRset encountered, to avoid excessive resource use while processing
|
|
|
bd9435 |
+ * large delegations.
|
|
|
bd9435 |
+ */
|
|
|
bd9435 |
+#define NS_PROCESSING_LIMIT 20
|
|
|
bd9435 |
|
|
|
bd9435 |
/* Number of hash buckets for zone counters */
|
|
|
bd9435 |
#ifndef RES_DOMAIN_BUCKETS
|
|
|
bd9435 |
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
|
|
bd9435 |
bool need_alternate = false;
|
|
|
bd9435 |
bool all_spilled = true;
|
|
|
bd9435 |
unsigned int no_addresses = 0;
|
|
|
bd9435 |
+ unsigned int ns_processed = 0;
|
|
|
bd9435 |
|
|
|
bd9435 |
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
|
|
|
bd9435 |
|
|
|
bd9435 |
@@ -3902,6 +3909,11 @@ normal_nses:
|
|
|
bd9435 |
|
|
|
bd9435 |
dns_rdata_reset(&rdata);
|
|
|
bd9435 |
dns_rdata_freestruct(&ns);
|
|
|
bd9435 |
+
|
|
|
bd9435 |
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
|
|
|
bd9435 |
+ result = ISC_R_NOMORE;
|
|
|
bd9435 |
+ break;
|
|
|
bd9435 |
+ }
|
|
|
bd9435 |
}
|
|
|
bd9435 |
if (result != ISC_R_NOMORE) {
|
|
|
bd9435 |
return (result);
|
|
|
bd9435 |
--
|
|
|
bd9435 |
2.37.3
|
|
|
bd9435 |
|