From 2154c09df5706baae597518fe23e30842c2bf1d6 Mon Sep 17 00:00:00 2001 From: bert hubert Date: Sun, 14 Jan 2018 20:17:48 +0100 Subject: [PATCH] dnsdist had problems with large AXFR as it checked first record of second envelope against the original qname. With this commit, the check against spoofing is only performed against the first message, and not against subsequent ones. Thanks to Janne for help debugging this issue. (cherry picked from commit 5af7506d106b85773d0b157e025fe5ac31d983b6) --- pdns/dnsdist-tcp.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc index 6deae5f1a..89a69163e 100644 --- a/pdns/dnsdist-tcp.cc +++ b/pdns/dnsdist-tcp.cc @@ -496,7 +496,7 @@ void* tcpClientThread(int pipefd) sendSizeAndMsgWithTimeout(dsock, dq.len, query, ds->tcpSendTimeout, &ds->remote, &ds->sourceAddr, ds->sourceItf, 0, socketFlags); } catch(const runtime_error& e) { - vinfolog("Downstream connection to %s died on us, getting a new one!", ds->getName()); + vinfolog("Downstream connection to %s died on us (%s), getting a new one!", ds->getName(), e.what()); close(dsock); dsock=-1; sockets.erase(ds->remote); @@ -514,7 +514,7 @@ void* tcpClientThread(int pipefd) if (isXFR) { dq.skipCache = true; } - + bool firstPacket=true; getpacket:; if(!getNonBlockingMsgLen(dsock, &rlen, ds->tcpRecvTimeout)) { @@ -556,10 +556,10 @@ void* tcpClientThread(int pipefd) break; } - if (!responseContentMatches(response, responseLen, qname, qtype, qclass, ds->remote)) { + if (firstPacket && !responseContentMatches(response, responseLen, qname, qtype, qclass, ds->remote)) { break; } - + firstPacket=false; if (!fixUpResponse(&response, &responseLen, &responseSize, qname, origFlags, ednsAdded, ecsAdded, rewrittenResponse, addRoom)) { break; } -- 2.40.0