You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/04/30 20:13:19 UTC

[GitHub] [pulsar] lhotari opened a new pull request, #15403: [Proxy/Client] Fix DNS server denial-of-service issue when DNS entry expires

lhotari opened a new pull request, #15403:
URL: https://github.com/apache/pulsar/pull/15403

   ### Motivation
   
   - `DnsNameResolver` doesn't coordinate concurrency and this leads to DNS server DoS
     under high load
   
   Dns lookups will timeout since the DNS server will get overloaded and won't be able to respond in time.
   Example error message `query via UDP timed out after 5000 milliseconds`:
   ```
    Caused by: io.netty.resolver.dns.DnsResolveContext$SearchDomainUnknownHostException: Failed to resolve 'pulsar-testenv-pulsar-broker-2.pulsar-testenv-pulsar-broker.pulsar-testenv.svc.cluster.local' and search domain query for configured domains failed as well: [pulsar-testenv.svc.cluster.local, svc.cluster.local, cluster.local]
    	at io.netty.resolver.dns.DnsResolveContext.finishResolve(DnsResolveContext.java:1047) ~[io.netty-netty-resolver-dns-4.1.76.Final.jar:4.1.76.Final]
    	... 22 more
    Caused by: io.netty.resolver.dns.DnsNameResolverTimeoutException: [/172.30.183.10:53] query via UDP timed out after 5000 milliseconds (no stack trace available)
   ```
   
   - In Netty, `DnsAddressResolverGroup` internally uses internal `InflightNameResolver`
     class to address the problem
   
   
   
   
   ### Modification
   
   - use DnsAddressResolverGroup instead of instantiating DnsNameResolver directly
   
   ### Additional context
   
   Similar issue in AsyncHttpClient: https://github.com/AsyncHttpClient/async-http-client/issues/1650


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Technoboy- merged pull request #15403: [Proxy/Client] Fix DNS server denial-of-service issue when DNS entry expires

Posted by GitBox <gi...@apache.org>.

Technoboy- merged PR #15403:
URL: https://github.com/apache/pulsar/pull/15403


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] michaeljmarshall commented on pull request #15403: [Proxy/Client] Fix DNS server denial-of-service issue when DNS entry expires

Posted by GitBox <gi...@apache.org>.

michaeljmarshall commented on PR #15403:
URL: https://github.com/apache/pulsar/pull/15403#issuecomment-1118847730

   I'm a bit late, but LGTM.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org