From 1023dcbc9e358e42c005414b2f54b3a65daf3b8c Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Mon, 9 Apr 2012 18:00:08 +0100 Subject: [PATCH] Don't cache DNS data from non-recursive nameservers. --- CHANGELOG | 4 ++++ src/rfc1035.c | 14 ++++++++++---- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 5e78f5e..c100d97 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -77,6 +77,10 @@ version 2.61 Tweak logo/favicon.ico to add some transparency. Thanks to SamLT for work on this. + Don't cache data from non-recursive nameservers, since it + may erroneously look like a valid CNAME to a non-exitant + name. Thanks to Ben Winslow for finding this. + version 2.60 Fix compilation problem in Mac OS X Lion. Thanks to Olaf diff --git a/src/rfc1035.c b/src/rfc1035.c index ea7678b..15abc25 100644 --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -1003,10 +1003,16 @@ int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t } } - /* Don't put stuff from a truncated packet into the cache, - also don't cache replies where DNSSEC validation was turned off, either - the upstream server told us so, or the original query specified it. */ - if (!(header->hb3 & HB3_TC) && !(header->hb4 & HB4_CD) && !checking_disabled) + /* Don't put stuff from a truncated packet into the cache. + Don't cache replies where DNSSEC validation was turned off, either + the upstream server told us so, or the original query specified it. + Don't cache replies from non-recursive nameservers, since we may get a + reply containing a CNAME but not its target, even though the target + does exist. */ + if (!(header->hb3 & HB3_TC) && + !(header->hb4 & HB4_CD) && + (header->hb4 & HB4_RA) && + !checking_disabled) cache_end_insert(); return 0;