If we get an NS from the cache, it still could be one forwarding applies to.

Take that into acount when determining dont-query status. Should fix #10638.

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 86ee77ae5b12808e20a376f68de7af8858532ae2..1d51487c98398500bf3973b3f7bc8d1f6ad753ba 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2373,9 +2373,17 @@ bool SyncRes::throttledOrBlocked(const std::string& prefix, const ComboAddress&
     return true;
   }
   else if(!pierceDontQuery && s_dontQuery && s_dontQuery->match(&remoteIP)) {
-    LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl);
-    s_dontqueries++;
-    return true;
+    // We could have retrieved an NS from the cache in a forwarding domain
+    // Even in the case of !pierceDontQuery we still want to allow that NS
+    DNSName forwardCandidate(qname);
+    auto it = getBestAuthZone(&forwardCandidate);
+    if (it == t_sstorage.domainmap->end()) {
+      LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl);
+      s_dontqueries++;
+      return true;
+    } else {
+      LOG(prefix<<qname<<": sending query to " << remoteIP.toString() << ", blocked by 'dont-query' but a forwarding/auth case" << endl);
+    }
   }
   return false;
 }