Fix DNS Proxy and DNSSEC not honoring RefuseRecordTypes (#36491)

2025-03-21 02:50:18 +03:00 · 2025-03-05 01:37:35 +08:00 · 2025-03-05 01:37:35 +08:00 · e18f697ac1
commit e18f697ac1
parent 52d5043b5e
2 changed files with 31 additions and 0 deletions
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@ -592,6 +592,11 @@ int dns_query_new(
                if (question_utf8 || question_idna)
                        return -EINVAL;

+                DnsQuestion *filtered_question_bypass = NULL;
+                r = manager_validate_and_mangle_question(m, &question_bypass->question, &filtered_question_bypass);
+                if (r < 0)
+                        return r;
+
        } else {
                bool good = false;

--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@ -1121,6 +1121,32 @@ testcase_14_refuse_record_types() {
    run dig localhost -t A
    grep -qF "status: NOERROR" "$RUN_OUT"

+    # Test DNS Proxy
+    run dig @127.0.0.54 localhost -t AAAA
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig @127.0.0.54 localhost -t SRV
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig @127.0.0.54 localhost -t TXT
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig @127.0.0.54 localhost -t A
+    grep -qF "status: NOERROR" "$RUN_OUT"
+
+    # Test DNSSEC
+    run dig localhost -t AAAA +dnssec +answer
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig localhost -t SRV +dnssec +answer
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig localhost -t TXT +dnssec +answer
+    grep -qF "status: REFUSED" "$RUN_OUT"
+
+    run dig localhost -t A +dnssec +answer
+    grep -qF "status: NOERROR" "$RUN_OUT"
+
    run resolvectl query localhost5
    grep -qF "127.128.0.5" "$RUN_OUT"