From be291d979dd42b2e2227ae88e37c3103a25dd0f6 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 21 Jun 2021 16:59:42 +0100
Subject: [PATCH] Include EDNS0 in connmark REFUSED replies.

---
 src/forward.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/forward.c b/src/forward.c
index 8ab6c4a..9b8b8db 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1547,6 +1547,9 @@ void receive_query(struct listener *listen, time_t now)
     {
       m = answer_disallowed(header, (size_t)n, (u32)mark, is_single_query ? daemon->namebuff : NULL);
       
+      if (have_pseudoheader && m != 0)
+	m = add_pseudoheader(header,  m,  ((unsigned char *) header) + udp_size, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+      
       if (m >= 1)
 	{
 	  send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
@@ -1958,7 +1961,12 @@ unsigned char *tcp_request(int confd, time_t now,
       if (0);
 #ifdef HAVE_CONNTRACK
       else if (!allowed)
-	m = answer_disallowed(header, size, (u32)mark, is_single_query ? daemon->namebuff : NULL);
+	{
+	  m = answer_disallowed(header, size, (u32)mark, is_single_query ? daemon->namebuff : NULL);
+	  
+	  if (have_pseudoheader && m != 0)
+	    m = add_pseudoheader(header,  m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
+	}
 #endif
 #ifdef HAVE_AUTH
       else if (auth_dns)