of negatively cached records. Suggested by Simon Kirby, implemented in c1204.
</para>
</listitem>
+ <listitem>
+ <para>
+ When a forwarder server is configured for a domain, using the <command>forward-zones</command> setting, this server IP address was
+ filtered using the <command>dont-query</command> setting, which is generally not what is desired: the server to which queries are
+ forwarded will often live in private IP space, and the operator should be trusted to know what he is doing. Reported and argued by Simon
+ Kirby, fix in c1211.
+ </para>
+ </listitem>
<listitem>
<para>
remoteIPs_t::const_iterator remoteIP;
bool doTCP=false;
int resolveret;
+ bool pierceDontQuery=false;
LWResult lwr;
if(tns->empty()) {
}
else {
LOG<<prefix<<qname<<": Trying to resolve NS '"<<*tns<<"' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl;
+
if(!isCanonical(*tns)) {
LOG<<prefix<<qname<<": Domain has hardcoded nameserver(s)"<<endl;
pair<string,string> ipport=splitField(*tns, ':');
ComboAddress addr(ipport.first, ipport.second.empty() ? 53 : lexical_cast<uint16_t>(ipport.second));
-
+
remoteIPs.push_back(addr);
+ pierceDontQuery=true;
}
- else
+ else {
remoteIPs=getAs(*tns, depth+1, beenthere);
+ pierceDontQuery=false;
+ }
if(remoteIPs.empty()) {
LOG<<prefix<<qname<<": Failed to get IP for NS "<<*tns<<", trying next if available"<<endl;
s_throttledqueries++; d_throttledqueries++;
continue;
}
- else if(g_dontQuery && g_dontQuery->match(&*remoteIP)) {
+ else if(!pierceDontQuery && g_dontQuery && g_dontQuery->match(&*remoteIP)) {
LOG<<prefix<<qname<<": not sending query to " << remoteIP->toString() << ", blocked by 'dont-query' setting" << endl;
continue;
}
projects / thirdparty / pdns.git / commitdiff
