Handle malformed DNS replies better.

If we detect that that reply from usptream is malformed,
transform it into a SERVFAIL reply before sending to the
original requestor.

src/forward.c

@@ -821,12 +821,22 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server
 	    n = rrfilter(header, n, RRFILTER_AAAA);
 	}
 
-      if (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
+      switch (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
 	{
+	case 1:
 	  my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
 	  munged = 1;
 	  cache_secure = 0;
 	  ede = EDE_BLOCKED;
+	  break;
+	  
+	  /* extract_addresses() found a malformed answer. */
+	case 2:
+	  munged = 1;
+	  SET_RCODE(header, SERVFAIL);
+	  cache_secure = 0;
+	  ede = EDE_OTHER;
+	  break;
 	}
 
       if (doctored)