From 24ff0d5034efb38038b3253ba36691c79ffcbea1 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 22 Jun 2020 15:09:13 +0200
Subject: [PATCH] rec: Better exception handling in handlePolicyHit()

An ImmediateServFailException being raised during the call to
SyncRes::beginResolve() from handleRPZCustom() could lead to
the resolution process to stop without any response being sent:

Any other exception in a resolver context (www.example.net/A from 127.0.0.1:4242)

This commit turns into a ServFail answer instead.
---
 pdns/pdns_recursor.cc | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index a13434dcfc..a644bc57ef 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1237,7 +1237,23 @@ static PolicyResult handlePolicyHit(const DNSFilterEngine::Policy& appliedPolicy
       auto spoofed = appliedPolicy.getCustomRecords(dc->d_mdp.d_qname, dc->d_mdp.d_qtype);
       for (auto& dr : spoofed) {
         ret.push_back(dr);
-        handleRPZCustom(dr, QType(dc->d_mdp.d_qtype), sr, res, ret);
+        try {
+          handleRPZCustom(dr, QType(dc->d_mdp.d_qtype), sr, res, ret);
+        }
+        catch (const ImmediateServFailException& e) {
+          if (g_logCommonErrors) {
+            g_log << Logger::Notice << "Sending SERVFAIL to " << dc->getRemote() << " during resolve of the custom filter policy '" << appliedPolicy.getName() << "' while resolving '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
+          }
+          res = RCode::ServFail;
+          break;
+        }
+        catch (const PolicyHitException& e) {
+          if (g_logCommonErrors) {
+            g_log << Logger::Notice << "Sending SERVFAIL to " << dc->getRemote() << " during resolve of the custom filter policy '" << appliedPolicy.getName() << "' while resolving '"<<dc->d_mdp.d_qname<<"' because another RPZ policy was hit"<<endl;
+          }
+          res = RCode::ServFail;
+          break;
+        }
       }
     }
     return PolicyResult::HaveAnswer;
-- 
2.47.2