Return REFUSED in auth mode when we are not authoritative for the query.

2025-12-20 02:38:32 +00:00 · 2021-07-20 17:15:36 +01:00
parent c068b3ae2f
commit f83c6cf51a
2 changed files with 18 additions and 3 deletions
--- a/src/auth.c
+++ b/src/auth.c
@@ -105,7 +105,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
  int nameoffset, axfroffset = 0;
  int q, anscount = 0, authcount = 0;
  struct crec *crecp;
-  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0;
+  int  auth = !local_query, trunc = 0, nxdomain = 1, soa = 0, ns = 0, axfr = 0, out_of_zone = 0;
  struct auth_zone *zone = NULL;
  struct addrlist *subnet = NULL;
  char *cut;
@@ -146,6 +146,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
      if (qclass != C_IN)
 	{
 	  auth = 0;
 	  out_of_zone = 1;
 	  continue;
 	}
@@ -159,6 +160,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  if (!zone)
 	    {
 	      out_of_zone = 1;
 	      auth = 0;
 	      continue;
 	    }
@@ -284,6 +286,7 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  if (!zone)
 	    {
 	      out_of_zone = 1;
 	      auth = 0;
 	      continue;
 	    }
@@ -877,10 +880,22 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
    SET_RCODE(header, NXDOMAIN);
  else
    SET_RCODE(header, NOERROR); /* no error */
  header->ancount = htons(anscount);
  header->nscount = htons(authcount);
  header->arcount = htons(0);
  if (!local_query && out_of_zone)
    {
      SET_RCODE(header, REFUSED); 
      header->ancount = htons(0);
      header->nscount = htons(0);
      addr.log.rcode = REFUSED;
      addr.log.ede = EDE_NOT_AUTH;
      log_query(F_UPSTREAM | F_RCODE, "error", &addr, NULL);
      return resize_packet(header,  ansp - (unsigned char *)header, NULL, 0);
    }
  /* Advertise our packet size limit in our reply */
  if (have_pseudoheader)
    return add_pseudoheader(header,  ansp - (unsigned char *)header, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
--- a/src/cache.c
+++ b/src/cache.c
@@ -1974,7 +1974,7 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
    source = "reply";
  else if (flags & F_SECSTAT)
    {
-      if (addr && addr->log.ede != EDE_UNSET)
+      if (addr && addr->log.ede != EDE_UNSET && option_bool(OPT_EXTRALOG))
 	{
 	  extra = daemon->addrbuff;
 	  sprintf(extra, " (EDE: %s)", edestr(addr->log.ede));
@@ -2023,5 +2023,5 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg)
 	}
    }
  else
-    my_syslog(LOG_INFO, "%s %s %s %s", source, name, verb, dest);
+    my_syslog(LOG_INFO, "%s %s %s %s%s", source, name, verb, dest, extra);
 }