Merge pull request #16841 from omoerbeek/rec-5.2.8-to-be

Backport to 5.2.x: SA 2026-01 including build fixes for man pages and docs

Author: omoerbeek

pdns/recursordist/lwres.cc

@@ -540,6 +540,8 @@ static LWResult::Result asyncresolve(const ComboAddress& address, const DNSName&
     return ret;
   }
 
+  lwr->d_bytesReceived = len;
+
   if (*chained) {
     auto msec = lwr->d_usec / 1000;
     if (msec > g_networkTimeoutMsec * 2 / 3) {

pdns/recursordist/lwres.hh

@@ -81,6 +81,7 @@ public:
   }
 
   vector<DNSRecord> d_records;
+  uint32_t d_bytesReceived{0};
   int d_rcode{0};
   bool d_validpacket{false};
   bool d_aabit{false}, d_tcbit{false};

pdns/recursordist/pdns_recursor.cc

@@ -1796,7 +1796,7 @@ void startDoResolve(void* arg) // NOLINT(readability-function-cognitive-complexi
 #endif
     }
 
-    const bool intoPC = g_packetCache && !variableAnswer && !resolver.wasVariable();
+    const bool intoPC = g_packetCache && !variableAnswer && !resolver.wasVariable() && (RecursorPacketCache::s_maxEntrySize == 0 || packet.size() <= RecursorPacketCache::s_maxEntrySize);
     if (intoPC) {
       minTTL = capPacketCacheTTL(*packetWriter.getHeader(), minTTL, seenAuthSOA);
       g_packetCache->insertResponsePacket(comboWriter->d_tag, comboWriter->d_qhash, std::move(comboWriter->d_query), comboWriter->d_mdp.d_qname,
@@ -1928,6 +1928,7 @@ void startDoResolve(void* arg) // NOLINT(readability-function-cognitive-complexi
                               "answers", Logging::Loggable(ntohs(packetWriter.getHeader()->ancount)),
                               "additional", Logging::Loggable(ntohs(packetWriter.getHeader()->arcount)),
                               "outqueries", Logging::Loggable(resolver.d_outqueries),
+                              "received", Logging::Loggable(resolver.d_bytesReceived),
                               "netms", Logging::Loggable(resolver.d_totUsec / 1000.0),
                               "totms", Logging::Loggable(static_cast<double>(spentUsec) / 1000.0),
                               "throttled", Logging::Loggable(resolver.d_throttledqueries),

pdns/recursordist/rec-main.cc

@@ -1773,6 +1773,7 @@ static int initSyncRes(Logr::log_t log)
   SyncRes::s_serverID = ::arg()["server-id"];
   // This bound is dynamically adjusted in SyncRes, depending on qname minimization being active
   SyncRes::s_maxqperq = ::arg().asNum("max-qperq");
+  SyncRes::s_maxbytesperq = ::arg().asNum("max-bytesperq");
   SyncRes::s_maxnsperresolve = ::arg().asNum("max-ns-per-resolve");
   SyncRes::s_maxnsaddressqperq = ::arg().asNum("max-ns-address-qperq");
   SyncRes::s_maxtotusec = 1000 * ::arg().asNum("max-total-msec");
@@ -3311,6 +3312,8 @@ int main(int argc, char** argv)
       pdns::RecResolve::setInstanceParameters(arg()["server-id"], ttl, interval, selfResolveCheck, []() { reloadZoneConfiguration(g_yamlSettings); });
     }
 
+    MemRecursorCache::s_maxEntrySize = ::arg().asNum("max-recordcache-entry-size");
+    RecursorPacketCache::s_maxEntrySize = ::arg().asNum("max-packetcache-entry-size");
     g_recCache = std::make_unique<MemRecursorCache>(::arg().asNum("record-cache-shards"));
     g_negCache = std::make_unique<NegCache>(::arg().asNum("record-cache-shards") / 8);
     if (!::arg().mustDo("disable-packetcache")) {

pdns/recursordist/recpacketcache.cc

@@ -11,6 +11,7 @@
 #include "rec-taskqueue.hh"
 
 unsigned int RecursorPacketCache::s_refresh_ttlperc{0};
+uint32_t RecursorPacketCache::s_maxEntrySize{8192};
 
 void RecursorPacketCache::setShardSizes(size_t shardSize)
 {

pdns/recursordist/recpacketcache.hh

@@ -47,6 +47,7 @@ class RecursorPacketCache : public PacketCache
 {
 public:
   static unsigned int s_refresh_ttlperc;
+  static uint32_t s_maxEntrySize;
 
   struct PBData
   {

pdns/recursordist/recursor_cache.cc

@@ -75,6 +75,7 @@
 uint16_t MemRecursorCache::s_maxServedStaleExtensions;
 uint16_t MemRecursorCache::s_maxRRSetSize = 256;
 bool MemRecursorCache::s_limitQTypeAny = true;
+uint32_t MemRecursorCache::s_maxEntrySize = 8192;
 
 void MemRecursorCache::resetStaticsForTests()
 {
@@ -84,6 +85,7 @@ void MemRecursorCache::resetStaticsForTests()
   SyncRes::s_minimumTTL = 0;
   s_maxRRSetSize = 256;
   s_limitQTypeAny = true;
+  s_maxEntrySize = 8192;
 }
 
 MemRecursorCache::MemRecursorCache(size_t mapsCount) :
@@ -665,6 +667,7 @@ void MemRecursorCache::replace(time_t now, const DNSName& qname, const QType qty
     cacheEntry.d_tooBig = true;
   }
   cacheEntry.d_records.reserve(toStore);
+  size_t storeSize = sizeof(CacheEntry) + qname.getStorage().size(); // rough estimate
   for (const auto& record : content) {
     /* Yes, we have altered the d_ttl value by adding time(nullptr) to it
        prior to calling this function, so the TTL actually holds a TTD. */
@@ -679,11 +682,15 @@ void MemRecursorCache::replace(time_t now, const DNSName& qname, const QType qty
       cacheEntry.d_orig_ttl = SyncRes::s_minimumTTL;
     }
     cacheEntry.d_records.push_back(record.getContent());
+    storeSize += record.d_clen; // again, rough estimate
     if (--toStore == 0) {
       break;
     }
   }
 
+  if (s_maxEntrySize > 0 && storeSize > s_maxEntrySize) {
+    return;
+  }
   if (!isNew) {
     moveCacheItemToBack<SequencedTag>(lockedShard->d_map, stored);
   }

pdns/recursordist/recursor_cache.hh

@@ -56,6 +56,7 @@ public:
   // but mark it as too big. Subsequent gets will cause an ImmediateServFailException to be thrown.
   static uint16_t s_maxRRSetSize;
   static bool s_limitQTypeAny;
+  static uint32_t s_maxEntrySize;
 
   [[nodiscard]] size_t size() const;
   [[nodiscard]] size_t bytes();

pdns/recursordist/settings/table.py

@@ -1500,6 +1500,19 @@
  ''',
      'versionchanged': ('4.1.0', 'The minimum value of this setting is 15. i.e. setting this to lower than 15 will make this value 15.')
     },
+    {
+        'name' : 'max_entry_size',
+        'section' : 'recordcache',
+        'oldname': 'max-recordcache-entry-size',
+        'type' : LType.Uint64,
+        'default' : '8192',
+        'help' : 'maximum storage size of a recordset stored in record cache',
+        'doc' : '''
+Maximum size of storage used by a single record cache entry. Entries larger than this number will not be stored.
+Zero means no limit.
+''',
+    'versionadded': ['5.1.10', '5.2.8', '5.3.5', '5.4.0'],
+    },
     {
         'name' : 'max_concurrent_requests_per_tcp_connection',
         'section' : 'incoming',
@@ -1576,18 +1589,43 @@
 ''',
         'runtime': 'set-max-packetcache-entries',
     },
+    {
+        'name' : 'max_entry_size',
+        'section' : 'packetcache',
+        'oldname' : 'max-packetcache-entry-size',
+        'type' : LType.Uint64,
+        'default' : '8192',
+        'help' : 'maximum size of a packet stored in the the packet cache',
+        'doc' : '''
+Maximum size of packets stored in the packet cache. Packets larger than this number will not be stored.
+Zero means no limit.
+''',
+    'versionadded': ['5.1.10', '5.2.8', '5.3.5', '5.4.0'],
+    },
     {
         'name' : 'max_qperq',
         'section' : 'outgoing',
         'type' : LType.Uint64,
         'default' : '50',
-        'help' : 'Maximum outgoing queries per query',
+        'help' : 'Maximum outgoing queries per client query',
         'doc' : '''
 The maximum number of outgoing queries that will be sent out during the resolution of a single client query.
 This is used to avoid cycles resolving names.
  ''',
         'versionchanged': ('5.1.0', 'The default used to be 60, with an extra allowance if qname minimization was enabled. Having better algorithms allows for a lower default limit.'),
     },
+    {
+        'name' : 'max_bytesperq',
+        'section' : 'outgoing',
+        'type' : LType.Uint64,
+        'default' : '100000',
+        'help' : 'Maximum number of received bytes per client query',
+        'doc' : '''
+The maximum number of cumulative bytes that will be accepted during the resolution of a single client query.
+This is useful to limit amplification attacks.
+ ''',
+        'versionadded': '5.4.0',
+    },
     {
         'name' : 'max_cnames_followed',
         'section' : 'recursor',

pdns/recursordist/syncres.cc

@@ -464,6 +464,7 @@ unsigned int SyncRes::s_maxnegttl;
 unsigned int SyncRes::s_maxbogusttl;
 unsigned int SyncRes::s_maxcachettl;
 unsigned int SyncRes::s_maxqperq;
+unsigned int SyncRes::s_maxbytesperq;
 unsigned int SyncRes::s_maxnsperresolve;
 unsigned int SyncRes::s_maxnsaddressqperq;
 unsigned int SyncRes::s_maxtotusec;
@@ -573,7 +574,7 @@ static inline void accountAuthLatency(uint64_t usec, int family)
 }
 
 SyncRes::SyncRes(const struct timeval& now) :
-  d_authzonequeries(0), d_outqueries(0), d_tcpoutqueries(0), d_dotoutqueries(0), d_throttledqueries(0), d_timeouts(0), d_unreachables(0), d_totUsec(0), d_fixednow(now), d_now(now), d_cacheonly(false), d_doDNSSEC(false), d_doEDNS0(false), d_qNameMinimization(s_qnameminimization), d_lm(s_lm)
+  d_authzonequeries(0), d_outqueries(0), d_tcpoutqueries(0), d_dotoutqueries(0), d_throttledqueries(0), d_timeouts(0), d_unreachables(0), d_bytesReceived(0), d_totUsec(0), d_fixednow(now), d_now(now), d_cacheonly(false), d_doDNSSEC(false), d_doEDNS0(false), d_qNameMinimization(s_qnameminimization), d_lm(s_lm)
 {
   d_validationContext.d_nsec3IterationsRemainingQuota = s_maxnsec3iterationsperq > 0 ? s_maxnsec3iterationsperq : std::numeric_limits<decltype(d_validationContext.d_nsec3IterationsRemainingQuota)>::max();
 }
@@ -3569,7 +3570,10 @@ vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix,
 void SyncRes::checkMaxQperQ(const DNSName& qname) const
 {
   if (d_outqueries + d_throttledqueries > s_maxqperq) {
-    throw ImmediateServFailException("more than " + std::to_string(s_maxqperq) + " (max-qperq) queries sent or throttled while resolving " + qname.toLogString());
+    throw ImmediateServFailException("More than " + std::to_string(s_maxqperq) + " (outgoing.max_qperq) queries sent or throttled while resolving " + qname.toLogString());
+  }
+  if (d_bytesReceived > s_maxbytesperq) {
+    throw ImmediateServFailException("More than " + std::to_string(s_maxbytesperq) + " (outgoing.max_bytesperq) bytes received while resolving " + qname.toLogString());
   }
 }
 
@@ -4278,13 +4282,33 @@ static bool isRedirection(QType qtype)
   return qtype == QType::CNAME || qtype == QType::DNAME;
 }
 
+// Walk the chain from qname, only adding names that can be reached
+static std::unordered_set<DNSName> sanitizeCNAMEChain(const DNSName& qname, std::unordered_map<DNSName, DNSName>& cnameChain)
+{
+  std::unordered_set<DNSName> allowed = {qname};
+  DNSName key{qname};
+  while (true) {
+    if (auto probe = cnameChain.find(key); probe != cnameChain.end()) {
+      allowed.emplace(probe->second);
+      key = probe->second;
+      // This will prevent looping in this function. CNAME loops themselves we handle higher up, see handleNewTarget()
+      cnameChain.erase(probe);
+    }
+    else {
+      break;
+    }
+  }
+  return allowed;
+}
+
 void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType qtype, const DNSName& auth, bool wasForwarded, bool rdQuery)
 {
   const bool wasForwardRecurse = wasForwarded && rdQuery;
   /* list of names for which we will allow A and AAAA records in the additional section
      to remain */
   std::unordered_set<DNSName> allowedAdditionals = {qname};
   std::unordered_set<DNSName> allowedAnswerNames = {qname};
+  std::unordered_map<DNSName, DNSName> cnameChain;
   bool cnameSeen = false;
   bool haveAnswers = false;
   bool acceptDelegation = false;
@@ -4359,7 +4383,7 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN
       haveAnswers = true;
       if (rec->d_type == QType::CNAME) {
         if (auto cnametarget = getRR<CNAMERecordContent>(*rec); cnametarget != nullptr) {
-          allowedAnswerNames.insert(cnametarget->getTarget());
+          cnameChain.emplace(rec->d_name, cnametarget->getTarget());
         }
         cnameSeen = cnameSeen || qname == rec->d_name;
       }
@@ -4423,6 +4447,10 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN
     acceptDelegation = true;
   }
 
+  if (cnameChain.size() > 0) {
+    auto allowed = sanitizeCNAMEChain(qname, cnameChain);
+    allowedAnswerNames.insert(allowed.begin(), allowed.end());
+  }
   sanitizeRecordsPass2(prefix, lwr, qname, qtype, auth, allowedAnswerNames, allowedAdditionals, cnameSeen, acceptDelegation && !soaInAuth, skipvec, skipCount);
 }
 
@@ -5564,6 +5592,7 @@ bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname,
     throw ImmediateServFailException("Query killed by policy");
   }
 
+  d_bytesReceived += lwr.d_bytesReceived;
   d_totUsec += lwr.d_usec;
 
   if (resolveret == LWResult::Result::Spoofed) {
@@ -5883,6 +5912,13 @@ bool SyncRes::processAnswer(unsigned int depth, const string& prefix, LWResult&
       nameservers.insert({nameserver, {{}, false}});
     }
     LOG("looping to them" << endl);
+    if (s_maxnsperresolve > 0 && nameservers.size() > s_maxnsperresolve) {
+      LOG(prefix << qname << "Reducing number of NS we are willing to consider to " << s_maxnsperresolve << endl);
+      NsSet selected;
+      std::sample(nameservers.cbegin(), nameservers.cend(), std::inserter(selected, selected.begin()), s_maxnsperresolve, pdns::dns_random_engine());
+      nameservers = std::move(selected);
+    }
+
     *gotNewServers = true;
     auth = std::move(newauth);
 
@@ -5936,11 +5972,17 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con
     if (rnameservers.size() > nsLimit) {
       int newLimit = static_cast<int>(nsLimit - (rnameservers.size() - nsLimit));
       nsLimit = std::max(5, newLimit);
+      LOG("Applying nsLimit " << nsLimit << endl);
     }
 
+    // If multiple NS records resolve to the same IP, we don't want to ask again, so keep track
+    std::set<ComboAddress> visitedAddresses;
     for (auto tns = rnameservers.cbegin();; ++tns) {
       if (addressQueriesForNS >= nsLimit) {
-        throw ImmediateServFailException(std::to_string(nsLimit) + " (adjusted max-ns-address-qperq) or more queries with empty results for NS addresses sent resolving " + qname.toLogString());
+        throw ImmediateServFailException(std::to_string(nsLimit) + " (outgoing.max_ns_address_qperq) or more queries with empty results for NS addresses sent resolving " + qname.toLogString());
+      }
+      if (s_maxnsperresolve > 0 && visitedAddresses.size() > 2 * s_maxnsperresolve) {
+        throw ImmediateServFailException("More than " + std::to_string(2 * s_maxnsperresolve) + " (2 * outgoing.max_ns_per_resolve) identical queries sent to auth IPs sent resolving " + qname.toLogString());
       }
       if (tns == rnameservers.cend()) {
         LOG(prefix << qname << ": Failed to resolve via any of the " << (unsigned int)rnameservers.size() << " offered NS at level '" << auth << "'" << endl);
@@ -6038,6 +6080,11 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con
         }
 
         for (remoteIP = remoteIPs.begin(); remoteIP != remoteIPs.end(); ++remoteIP) {
+          auto inserted = visitedAddresses.insert(*remoteIP).second;
+          if (!wasForwarded && !inserted) {
+            LOG(prefix << qname << ": Already visited " << remoteIP->toStringWithPort() << ", asking '" << qname << "|" << qtype << "'; skipping" << endl);
+            continue;
+          }
           LOG(prefix << qname << ": Trying IP " << remoteIP->toStringWithPort() << ", asking '" << qname << "|" << qtype << "'" << endl);
 
           if (throttledOrBlocked(prefix, *remoteIP, qname, qtype, pierceDontQuery)) {