From: bert hubert Date: Thu, 24 Aug 2017 12:29:03 +0000 (+0200) Subject: Make dnsdist dynamic truncate do right thing on TCP/IP X-Git-Tag: auth-4.1.0-rc1~2^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8477236d0a4ee4b7454485c4e6c5870e58317b86;p=pdns Make dnsdist dynamic truncate do right thing on TCP/IP Winfried noted that our new dynamic truncation rule worked fine on UDP, but on TCP/IP a truncate would be converted into a drop, which was not the intended effect. This commit makes dynamic truncate a NOOP on TCP. --- diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc index 53c25c865..7466b7d54 100644 --- a/pdns/dnsdist.cc +++ b/pdns/dnsdist.cc @@ -878,23 +878,33 @@ bool processQuery(LocalStateHolder >& localDynNMGBlock, if(auto got=localDynNMGBlock->lookup(*dq.remote)) { if(now < got->second.until) { - g_stats.dynBlocked++; - got->second.blocks++; DNSAction::Action action = got->second.action; if (action == DNSAction::Action::None) { action = g_dynBlockAction; } if (action == DNSAction::Action::Refused) { vinfolog("Query from %s refused because of dynamic block", dq.remote->toStringWithPort()); + g_stats.dynBlocked++; + got->second.blocks++; + dq.dh->rcode = RCode::Refused; dq.dh->qr=true; return true; } - else if (action == DNSAction::Action::Truncate && !dq.tcp) { - vinfolog("Query from %s truncated because of dynamic block", dq.remote->toStringWithPort()); - dq.dh->tc = true; - dq.dh->qr = true; - return true; + else if (action == DNSAction::Action::Truncate) { + if(!dq.tcp) { + g_stats.dynBlocked++; + got->second.blocks++; + + vinfolog("Query from %s truncated because of dynamic block", dq.remote->toStringWithPort()); + dq.dh->tc = true; + dq.dh->qr = true; + return true; + } + else { + vinfolog("Query from %s for %s over TCP *not* truncated because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString()); + } + } else { vinfolog("Query from %s dropped because of dynamic block", dq.remote->toStringWithPort()); @@ -905,23 +915,32 @@ bool processQuery(LocalStateHolder >& localDynNMGBlock, if(auto got=localDynSMTBlock->lookup(*dq.qname)) { if(now < got->until) { - g_stats.dynBlocked++; - got->blocks++; DNSAction::Action action = got->action; if (action == DNSAction::Action::None) { action = g_dynBlockAction; } if (action == DNSAction::Action::Refused) { vinfolog("Query from %s for %s refused because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString()); + g_stats.dynBlocked++; + got->blocks++; + dq.dh->rcode = RCode::Refused; dq.dh->qr=true; return true; } - else if (action == DNSAction::Action::Truncate && !dq.tcp) { - vinfolog("Query from %s for %s truncated because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString()); - dq.dh->tc = true; - dq.dh->qr = true; - return true; + else if (action == DNSAction::Action::Truncate) { + if(!dq.tcp) { + g_stats.dynBlocked++; + got->blocks++; + + vinfolog("Query from %s for %s truncated because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString()); + dq.dh->tc = true; + dq.dh->qr = true; + return true; + } + else { + vinfolog("Query from %s for %s over TCP *not* truncated because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString()); + } } else { vinfolog("Query from %s for %s dropped because of dynamic block", dq.remote->toStringWithPort(), dq.qname->toString());