Open chrisohaver opened 2 years ago
Changes merged. This can close once CoreDNS is tagged/released with the fix coredns/coredns#5308, and go modules in this repo are updated.
Changes merged. This can close once CoreDNS is tagged/released with the fix coredns/coredns#5308, and go modules in this repo are updated.
It looks like this change has been merged as well. Is this still an actual issue, or can this be closed/notes be fixed on the README?
It’s solved for the file plugin, but I think it’s still an issue for wildcards served from other sources such as from upstream servers, or any plugin that synthesizes wildcard answers and does not create the wildcard metadata.
Employing a Response Rate Limiting function in CoreDNS (e.g. this plugin) was recommended in the security review by Trail of Bits' security review of CoreDNS to help prevent DNS reflection attacks.
There is a known issue that would be good to fix: the rrl plugin is susceptible to wildcard flooding. That is, an attacker can abuse a known wildcard to generate an (almost) unlimited number of unique queries, and thus launch a DNS reflection attack while keeping quotas under rrl limits.
BIND's RRL implementation solves this by lumping all responses synthesized by a given wildcard into one bucket for that wildcard. For CoreDNS to do this, it needs to be aware of the wildcards served by a zone.
The solution (in progress) will involve changes to this repo, but also to require changes to some plugins in CoreDNS (plugins that support wildcard records). This would mostly be file, auto, and other plugins that use the
Zone
package to serve zones.I can think of two different general approaches to implement this in CoreDNS: