morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

resolved: honour RefuseRecordTypes= also in proxy mode

Browse Source 
Fixes: #36491
This commit is contained in:
Lennart Poettering
2025-06-19 17:50:40 +02:00
parent 95625f3cb6
commit 576a2bc79b
2 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/resolve/resolved-dns-query.c
View File

@@ -632,6 +632,13 @@ int dns_query_new(
if (question_utf8 || question_idna)
return -EINVAL;
assert(dns_question_size(question_bypass->question) == 1);
/* In bypass mode we'll never mangle the question, but only deny or allow. (In bypass mode
* there's only going to be one entry in the query, hence there's no point in mangling
* questions, i.e. leaving some entries in and removing others.) */
if (test_refuse_record_types(m->refuse_record_types, question_bypass->question) != REFUSE_GOOD)
return -ENOANO;
} else {
bool good = false;

21
test/units/TEST-75-RESOLVED.sh
View File

@@ -1143,15 +1143,27 @@ testcase_14_refuse_record_types() {
run dig localhost -t AAAA
grep -qF "status: REFUSED" "$RUN_OUT"
run dig localhost @127.0.0.54 -t AAAA
grep -qF "status: REFUSED" "$RUN_OUT"
run dig localhost -t SRV
grep -qF "status: REFUSED" "$RUN_OUT"
run dig localhost @127.0.0.54 -t SRV
grep -qF "status: REFUSED" "$RUN_OUT"
run dig localhost -t TXT
grep -qF "status: REFUSED" "$RUN_OUT"
run dig localhost @127.0.0.54 -t TXT
grep -qF "status: REFUSED" "$RUN_OUT"
run dig localhost -t A
grep -qF "status: NOERROR" "$RUN_OUT"
run dig localhost @127.0.0.54 -t A
grep -qF "status: NOERROR" "$RUN_OUT"
run resolvectl query localhost5
grep -qF "127.128.0.5" "$RUN_OUT"
@@ -1180,12 +1192,21 @@ testcase_14_refuse_record_types() {
run dig localhost -t SRV
grep -qF "status: NOERROR" "$RUN_OUT"
run dig localhost @127.0.0.54 -t SRV
grep -qF "status: NOERROR" "$RUN_OUT"
run dig localhost -t TXT
grep -qF "status: NOERROR" "$RUN_OUT"
run dig localhost @127.0.0.54 -t TXT
grep -qF "status: NOERROR" "$RUN_OUT"
run dig localhost -t AAAA
grep -qF "status: REFUSED" "$RUN_OUT"
run dig localhost @127.0.0.54 -t AAAA
grep -qF "status: REFUSED" "$RUN_OUT"
(! run resolvectl query localhost5 --type=SRV)
grep -qF "does not have any RR of the requested type" "$RUN_OUT"