Change behavior when RD bit unset in queries.

Change anti cache-snooping behaviour with queries with the recursion-desired bit unset. Instead to returning SERVFAIL, we now always forward, and never answer from the cache. This allows "dig +trace" command to work.
2025-12-19 10:18:25 +00:00 · 2018-09-19 22:27:11 +01:00
parent 51cc10fa54
commit 4139298d28
2 changed files with 9 additions and 6 deletions
--- a/7
+++ b/7
@@ -59,7 +59,12 @@ version 2.80
 	Returning null addresses is a useful technique for ad-blocking.
 	Thanks to Peter Russell for the suggestion.
 	
-
+	Change anti cache-snooping behaviour with queries with the
+	recursion-desired bit unset. Instead to returning SERVFAIL, we
+	now always forward, and never answer from the cache. This
+	allows "dig +trace" command to work. 
+	
+	
 version 2.79
 	Fix parsing of CNAME arguments, which are confused by extra spaces.
 	Thanks to Diego Aguirre for spotting the bug.
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1293,16 +1293,14 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
  struct mx_srv_record *rec;
  size_t len;

-  if (ntohs(header->ancount) != 0 ||
+  /* never answer queries with RD unset, to avoid cache snooping. */
+  if (!(header->hb3 & HB3_RD) ||
+      ntohs(header->ancount) != 0 ||
      ntohs(header->nscount) != 0 ||
      ntohs(header->qdcount) == 0 || 
      OPCODE(header) != QUERY )
    return 0;

-  /* always servfail queries with RD unset, to avoid cache snooping. */
-  if (!(header->hb3 & HB3_RD))
-    return setup_reply(header, qlen, NULL, F_SERVFAIL, 0);
-  
  /* Don't return AD set if checking disabled. */
  if (header->hb4 & HB4_CD)
    sec_data = 0;