Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(dnstap): add bounds for plugin args #7557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yongtang merged 1 commit into from
Sep 19, 2025
Merged

fix(dnstap): add bounds for plugin args #7557

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion plugin/dnstap/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,14 @@ dnstap SOCKET [full] [writebuffer] [queue] {

* **SOCKET** is the socket (path) supplied to the dnstap command line tool.
* `full` to include the wire-format DNS message.
* **writebuffer** sets the TCP write buffer multiplier in MiB. Valid range: [1, 1024].
* **queue** sets the queue multiplier, applied to 10,000 messages. Valid range: [1, 4096].
* **IDENTITY** to override the identity of the server. Defaults to the hostname.
* **VERSION** to override the version field. Defaults to the CoreDNS version.
* **EXTRA** to define "extra" field in dnstap payload, [metadata](../metadata/) replacement available here.
* `skipverify` to skip tls verification during connection. Default to be secure


## Examples

Log information about client requests and responses to */tmp/dnstap.sock*.
Expand All @@ -38,7 +41,7 @@ Log information about client requests and responses to */tmp/dnstap.sock*.
dnstap /tmp/dnstap.sock
~~~

Log information about client requests and responses and tcp write buffer is 1024*Mb and queue is 2048*10000.
Log information about client requests and responses with a custom TCP write buffer (1024 MiB) and queue capacity (2048 x 10000).

~~~ txt
dnstap /tmp/dnstap.sock full 1024 2048
Expand Down
29 changes: 26 additions & 3 deletions plugin/dnstap/setup.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,14 @@ var log = clog.NewWithPlugin("dnstap")

func init() { plugin.Register("dnstap", setup) }

const (
// Upper bounds chosen to keep memory use and kernel socket buffer requests reasonable
// while allowing large configurations. Write buffer multiple is in MiB units; queue
// multiple is applied to 10,000 messages. See plugin README for parameter semantics.
maxMultipleTcpWriteBuf = 1024 // up to 1 GiB write buffer per TCP connection
maxMultipleQueue = 4096 // up to 40,960,000 enqueued messages
)

func parseConfig(c *caddy.Controller) ([]*Dnstap, error) {
dnstaps := []*Dnstap{}

Expand All @@ -37,11 +45,26 @@ func parseConfig(c *caddy.Controller) ([]*Dnstap, error) {
endpoint := args[0]

if len(args) >= 3 {
d.MultipleTcpWriteBuf, _ = strconv.Atoi(args[2])
tcpWriteBuf := args[2]
if v, err := strconv.Atoi(tcpWriteBuf); err == nil {
if v < 1 || v > maxMultipleTcpWriteBuf {
return nil, c.Errf("dnstap: MultipleTcpWriteBuf must be between 1 and %d (MiB units): %d", maxMultipleTcpWriteBuf, v)
}
d.MultipleTcpWriteBuf = v
} else {
return nil, c.Errf("dnstap: invalid MultipleTcpWriteBuf %q: %v", tcpWriteBuf, err)
}
}

if len(args) >= 4 {
d.MultipleQueue, _ = strconv.Atoi(args[3])
qSize := args[3]
if v, err := strconv.Atoi(qSize); err == nil {
if v < 1 || v > maxMultipleQueue {
return nil, c.Errf("dnstap: MultipleQueue must be between 1 and %d (x10k messages): %d", maxMultipleQueue, v)
}
d.MultipleQueue = v
} else {
return nil, c.Errf("dnstap: invalid MultipleQueue %q: %v", qSize, err)
}
}

var dio *dio
Expand Down
8 changes: 8 additions & 0 deletions plugin/dnstap/setup_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,14 @@ func TestConfig(t *testing.T) {
{"dnstap dnstap.sock {\nidentity\n}\n", true, []results{{"dnstap.sock", false, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
{"dnstap dnstap.sock {\nversion\n}\n", true, []results{{"dnstap.sock", false, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
{"dnstap dnstap.sock {\nextra\n}\n", true, []results{{"dnstap.sock", false, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
// Limits and parsing for writebuffer (MiB) and queue (x10k)
{"dnstap dnstap.sock full 1024 2048", false, []results{{"dnstap.sock", true, "unix", []byte(hostname), []byte("-"), "", 1024, 2048}}},
{"dnstap dnstap.sock full 1025 1", true, []results{{"dnstap.sock", true, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
{"dnstap dnstap.sock full 1 4097", true, []results{{"dnstap.sock", true, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
{"dnstap dnstap.sock full 0 10", true, []results{{"dnstap.sock", true, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
{"dnstap dnstap.sock full 10 0", true, []results{{"dnstap.sock", true, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
{"dnstap dnstap.sock full x 10", true, []results{{"dnstap.sock", true, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
{"dnstap dnstap.sock full 10 y", true, []results{{"dnstap.sock", true, "unix", []byte(hostname), []byte("-"), "", 1, 1}}},
}
for i, tc := range tests {
c := caddy.NewTestController("dns", tc.in)
Expand Down
Loading