From 4139298d287eb5c57f4aa53c459cb02fc5be2495 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Wed, 19 Sep 2018 22:27:11 +0100 Subject: [PATCH 2/2] Change behavior when RD bit unset in queries. Change anti cache-snooping behaviour with queries with the recursion-desired bit unset. Instead to returning SERVFAIL, we now always forward, and never answer from the cache. This allows "dig +trace" command to work. Signed-off-by: Kevin Darbyshire-Bryant --- CHANGELOG | 7 ++++++- src/rfc1035.c | 8 +++----- 2 files changed, 9 insertions(+), 6 deletions(-) --- a/CHANGELOG +++ b/CHANGELOG @@ -59,7 +59,12 @@ version 2.80 Returning null addresses is a useful technique for ad-blocking. Thanks to Peter Russell for the suggestion. - + Change anti cache-snooping behaviour with queries with the + recursion-desired bit unset. Instead to returning SERVFAIL, we + now always forward, and never answer from the cache. This + allows "dig +trace" command to work. + + version 2.79 Fix parsing of CNAME arguments, which are confused by extra spaces. Thanks to Diego Aguirre for spotting the bug. --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -1293,16 +1293,14 @@ size_t answer_request(struct dns_header struct mx_srv_record *rec; size_t len; - if (ntohs(header->ancount) != 0 || + /* never answer queries with RD unset, to avoid cache snooping. */ + if (!(header->hb3 & HB3_RD) || + ntohs(header->ancount) != 0 || ntohs(header->nscount) != 0 || ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) return 0; - /* always servfail queries with RD unset, to avoid cache snooping. */ - if (!(header->hb3 & HB3_RD)) - return setup_reply(header, qlen, NULL, F_SERVFAIL, 0); - /* Don't return AD set if checking disabled. */ if (header->hb4 & HB4_CD) sec_data = 0;