dnsdist: Drop incoming TC=1 queries

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>

diff --git a/pdns/dnsdistdist/dnsdist.cc b/pdns/dnsdistdist/dnsdist.cc
index 5119d69a54504944100539b035f13f7a7f3381b8..560220f9b6a9451ab9beec18176f9f42fc9a0521 100644 (file)
--- a/pdns/dnsdistdist/dnsdist.cc
+++ b/pdns/dnsdistdist/dnsdist.cc
@@ -1380,6 +1380,12 @@ bool checkQueryHeaders(const struct dnsheader& dnsHeader, ClientState& clientSta
     return false;
   }
 
+  if (dnsHeader.tc != 0) { // don't respond to truncated queries
+    ++dnsdist::metrics::g_stats.nonCompliantQueries;
+    ++clientState.nonCompliantQueries;
+    return false;
+  }
+
   if (dnsHeader.qdcount == 0) {
     ++dnsdist::metrics::g_stats.emptyQueries;
     if (dnsdist::configuration::getCurrentRuntimeConfiguration().d_dropEmptyQueries) {

diff --git a/pdns/dnsdistdist/docs/upgrade_guide.rst b/pdns/dnsdistdist/docs/upgrade_guide.rst
index f0045655e8a2636cf6358c1bbe9479de212cfee5..8db50b1703b3d212df6c595bdf3d924ccff87b32 100644 (file)
--- a/pdns/dnsdistdist/docs/upgrade_guide.rst
+++ b/pdns/dnsdistdist/docs/upgrade_guide.rst
@@ -1,6 +1,11 @@
 Upgrade Guide
 =============
 
+2.1.x to 2.2.0
+--------------
+
+Queries received from clients that have the truncated bit (TC) set are now dropped.
+
 2.1.0-beta2 to 2.1.0
 --------------------
 

diff --git a/regression-tests.dnsdist/test_Basics.py b/regression-tests.dnsdist/test_Basics.py
index 4e3bcfd5554a69cf9f40e9a3346acc6c04f69e78..49f18f4017276e55c6b12fc4094e43028e6ebb21 100644 (file)
--- a/regression-tests.dnsdist/test_Basics.py
+++ b/regression-tests.dnsdist/test_Basics.py
@@ -34,6 +34,30 @@ class TestBasics(DNSDistTest):
                 (_, receivedResponse) = sender(query, response=None, useQueue=False)
                 self.assertEqual(receivedResponse, None)
 
+    def testQRDropped(self):
+        """
+        Basics: Dropped QR=1 query
+        """
+        name = "qr-set.test.powerdns.com."
+        query = dns.message.make_query(name, "A", "IN")
+        query.flags |= dns.flags.QR
+        for method in ("sendUDPQuery", "sendTCPQuery"):
+            sender = getattr(self, method)
+            (_, receivedResponse) = sender(query, response=None, useQueue=False)
+            self.assertEqual(receivedResponse, None)
+
+    def testTCDropped(self):
+        """
+        Basics: Dropped TC=1 query
+        """
+        name = "tc-set.test.powerdns.com."
+        query = dns.message.make_query(name, "A", "IN")
+        query.flags |= dns.flags.TC
+        for method in ("sendUDPQuery", "sendTCPQuery"):
+            sender = getattr(self, method)
+            (_, receivedResponse) = sender(query, response=None, useQueue=False)
+            self.assertEqual(receivedResponse, None)
+
     def testAWithECS(self):
         """
         Basics: A query with an ECS value

diff --git a/regression-tests.dnsdist/test_Lua.py b/regression-tests.dnsdist/test_Lua.py
index f497d9c5a844af9a3bb170db1a3907183b103a92..17c1301da581a5b3c7c802b13252f2d1e4d471a1 100644 (file)
--- a/regression-tests.dnsdist/test_Lua.py
+++ b/regression-tests.dnsdist/test_Lua.py
@@ -47,28 +47,28 @@ class TestLuaDNSHeaderBindings(DNSDistTest):
     _config_template = """
     newServer{address="127.0.0.1:%d"}
 
-    function checkTCSet(dq)
-      local tc = dq:getHeader():getTC()
-      if not tc then
-        return DNSAction.Spoof, 'tc-not-set.check-tc.lua-dnsheaders.tests.powerdns.com.'
+    function checkCDSet(dq)
+      local checkDisabled = dq:getHeader():getCD()
+      if not checkDisabled then
+        return DNSAction.Spoof, 'cd-not-set.check-cd.lua-dnsheaders.tests.powerdns.com.'
       end
       return DNSAction.Allow
     end
 
-    addAction('check-tc.lua-dnsheaders.tests.powerdns.com.', LuaAction(checkTCSet))
+    addAction('check-cd.lua-dnsheaders.tests.powerdns.com.', LuaAction(checkCDSet))
     """
 
-    def testLuaGetTC(self):
+    def testLuaGetCD(self):
         """
-        LuaDNSHeaders: TC
+        LuaDNSHeaders: CD
         """
-        name = "notset.check-tc.lua-dnsheaders.tests.powerdns.com."
+        name = "notset.check-cd.lua-dnsheaders.tests.powerdns.com."
         query = dns.message.make_query(name, "A", "IN")
         # dnsdist set RA = RD for spoofed responses
         query.flags &= ~dns.flags.RD
         response = dns.message.make_response(query)
         rrset = dns.rrset.from_text(
-            name, 60, dns.rdataclass.IN, dns.rdatatype.CNAME, "tc-not-set.check-tc.lua-dnsheaders.tests.powerdns.com."
+            name, 60, dns.rdataclass.IN, dns.rdatatype.CNAME, "cd-not-set.check-cd.lua-dnsheaders.tests.powerdns.com."
         )
         response.answer.append(rrset)
         for method in ("sendUDPQuery", "sendTCPQuery"):
@@ -76,12 +76,13 @@ class TestLuaDNSHeaderBindings(DNSDistTest):
             (_, receivedResponse) = sender(query, response=None, useQueue=False)
             self.assertEqual(response, receivedResponse)
 
-        name = "set.check-tc.lua-dnsheaders.tests.powerdns.com."
+        name = "set.check-cd.lua-dnsheaders.tests.powerdns.com."
         query = dns.message.make_query(name, "A", "IN")
         response = dns.message.make_response(query)
         rrset = dns.rrset.from_text(name, 60, dns.rdataclass.IN, dns.rdatatype.A, "127.0.0.1")
         response.answer.append(rrset)
-        query.flags |= dns.flags.TC
+        query.flags |= dns.flags.CD
+        response.flags |= dns.flags.CD
         for method in ("sendUDPQuery", "sendTCPQuery"):
             sender = getattr(self, method)
             (receivedQuery, receivedResponse) = sender(query, response)