search

PowerDNS / pdns

PowerDNS Authoritative, PowerDNS Recursor, dnsdist
https://www.powerdns.com/
GNU General Public License v2.0
3.7k stars 908 forks source link

dnsdist: Separate timeouts for TCP and TLS over TCP #11717

Open jacobbunk opened 2 years ago

jacobbunk commented 2 years ago

Short description

It would be great to control timeout values separately for TCP connection and TLS connections. Mainly because TLS connections are much more expensive to re-establish once they time out and because allowing long established TCP connections could be a DOS attack vector.

Usecase

We use dnsdist on an authoritative server. We see a lot of connections for DoT from different IPv6 addresses from Google. They usually only run a single query before the connection times out after 5 seconds. 10-30 seconds later they re-connect and make another query. This way we close 3-500 connections per second across all our nodes. The easy fix is of course just to increase the setMaxTCPConnectionDuration() and setTCPRecvTimeout() (the split mentioned in https://github.com/PowerDNS/pdns/issues/10143 would also be nice).

My fear with increasing the lifetime of idle TCP connections is that it then becomes very easy to exhaust our resources for handling new TCP connections, simply by creating many idle TCP connections. A TLS connection is more expensive to set up for both ends of the connection, so using that as a DOS attack vector will also require significant computational resources on the attacker's end, which is why I think it makes sense to have higher timeout values.

Description

Add an option to set setMaxTLSRecvTimeout(), setMaxTLSSendTimeout() in addition to their TCP equivalents and potentially also add a setMaxTLSConnectionDuration() since TCP is used quite differently for regular DNS on port 53 and encrypted DNS over port 443 or 853.

rgacogne commented 2 years ago

That seems like a very reasonable feature request to me. It should not be hard to implement and I would happily merge a PR implementing these changes if anyone is motivated :)

A TLS connection is more expensive to set up for both ends of the connection, so using that as a DOS attack vector will also require significant computational resources on the attacker's end, which is why I think it makes sense to have higher timeout values.

I'm a bit concerned this might not be true in practice, because the cost of opening a TLS connection is not that high for the client, especially if it knows how to reuse TLS tickets, and then it only has to keep it open for as long as possible. Still in my opinion that does not make this feature request less worthy.