Also check if the remoteIP is one of the IPs we would have forwarded to,

even if it's coming from the cache.

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 1d51487c98398500bf3973b3f7bc8d1f6ad753ba..d55436b9f4e22619e1c962c805790303b2f366a7 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2382,7 +2382,15 @@ bool SyncRes::throttledOrBlocked(const std::string& prefix, const ComboAddress&
       s_dontqueries++;
       return true;
     } else {
-      LOG(prefix<<qname<<": sending query to " << remoteIP.toString() << ", blocked by 'dont-query' but a forwarding/auth case" << endl);
+      // The name (from the cache) is forwarded, but is it forwarded to an IP in known forwarders?
+      const auto& ips = it->second.d_servers;
+      if (std::find(ips.cbegin(), ips.cend(), remoteIP) == ips.cend()) {
+        LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl);
+        s_dontqueries++;
+        return true;
+      } else {
+        LOG(prefix<<qname<<": sending query to " << remoteIP.toString() << ", blocked by 'dont-query' but a forwarding/auth case" << endl);
+      }
     }
   }
   return false;