mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 06:25:31 +00:00
baa9698c9d
It is possible to bypass Response Rate Limiting (RRL) `responses-per-second` limitation using specially crafted wildcard names, because the current implementation, when encountering a found DNS name generated from a wildcard record, just strips the leftmost label of the name before making a key for the bucket. While that technique helps with limiting random requests like <random>.example.com (because all those requests will be accounted as belonging to a bucket constructed from "example.com" name), it does not help with random names like subdomain.<random>.example.com. The best solution would have been to strip not just the leftmost label, but as many labels as necessary until reaching the suffix part of the wildcard record from which the found name is generated, however, we do not have that information readily available in the context of RRL processing code. Fix the issue by interpreting all valid wildcard domain names as the zone's origin name concatenated to the "*" name, so they all will be put into the same bucket.