From 5af7506d106b85773d0b157e025fe5ac31d983b6 Mon Sep 17 00:00:00 2001 From: bert hubert Date: Sun, 14 Jan 2018 20:17:48 +0100 Subject: [PATCH] dnsdist had problems with large AXFR as it checked first record of second envelope against the original qname. With this commit, the check against spoofing is only performed against the first message, and not against subsequent ones. Thanks to Janne for help debugging this issue. --- pdns/dnsdist-tcp.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc index 74d03b06c..f23b4c158 100644 --- a/pdns/dnsdist-tcp.cc +++ b/pdns/dnsdist-tcp.cc @@ -484,7 +484,7 @@ void* tcpClientThread(int pipefd) sendSizeAndMsgWithTimeout(dsock, dq.len, query, ds->tcpSendTimeout, &ds->remote, &ds->sourceAddr, ds->sourceItf, 0, socketFlags); } catch(const runtime_error& e) { - vinfolog("Downstream connection to %s died on us, getting a new one!", ds->getName()); + vinfolog("Downstream connection to %s died on us (%s), getting a new one!", ds->getName(), e.what()); close(dsock); dsock=-1; sockets.erase(ds->remote); @@ -502,7 +502,7 @@ void* tcpClientThread(int pipefd) if (isXFR) { dq.skipCache = true; } - + bool firstPacket=true; getpacket:; if(!getNonBlockingMsgLen(dsock, &rlen, ds->tcpRecvTimeout)) { @@ -544,10 +544,10 @@ void* tcpClientThread(int pipefd) break; } - if (!responseContentMatches(response, responseLen, qname, qtype, qclass, ds->remote)) { + if (firstPacket && !responseContentMatches(response, responseLen, qname, qtype, qclass, ds->remote)) { break; } - + firstPacket=false; if (!fixUpResponse(&response, &responseLen, &responseSize, qname, origFlags, ednsAdded, ecsAdded, rewrittenResponse, addRoom)) { break; } -- 2.40.0