From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 13 Jun 2019 12:22:06 +0000 (+0200)
Subject: dnsdist: Return HTTP/403 for ACL drops instead of closing the conn
X-Git-Tag: dnsdist-1.4.0-rc1~65^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b6a68993e8ea2a2ade5f040f829d2b329fa8826;p=thirdparty%2Fpdns.git

dnsdist: Return HTTP/403 for ACL drops instead of closing the conn
---

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index a62038df32..a8cf907066 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -341,6 +341,14 @@ try
   h2o_socket_getsockname(sock, reinterpret_cast<struct sockaddr*>(&local));
   DOHServerConfig* dsc = reinterpret_cast<DOHServerConfig*>(req->conn->ctx->storage.entries[0].data);
 
+  auto& holders = dsc->holders;
+  if (!holders.acl->match(remote)) {
+    ++g_stats.aclDrops;
+    vinfolog("Query from %s (DoH) dropped because of ACL", remote.toStringWithPort());
+    h2o_send_error_403(req, "Forbidden", "dns query not allowed because of ACL", 0);
+    return 0;
+  }
+
   if(auto tlsversion = h2o_socket_get_ssl_protocol_version(sock)) {
     if(!strcmp(tlsversion, "TLSv1.0"))
       ++dsc->df->d_tls10queries;
@@ -600,14 +608,6 @@ static void on_accept(h2o_socket_t *listener, const char *err)
   h2o_socket_getpeername(sock, reinterpret_cast<struct sockaddr*>(&remote));
   //  cout<<"New HTTP accept for client "<<remote.toStringWithPort()<<": "<< listener->data << endl;
 
-  auto& holders = dsc->holders;
-  if (!holders.acl->match(remote)) {
-    vinfolog("Query from %s (DoH) dropped because of ACL", remote.toStringWithPort());
-    ++g_stats.aclDrops;
-    h2o_socket_close(sock);
-    return;
-  }
-
   sock->data = dsc;
   sock->on_close.cb = on_socketclose;
   auto accept_ctx = dsc->accept_ctx->get();