If we get an NS from the cache, it still could be one forwarding applies to.

Take that into acount when determining dont-query status. Should fix #10638.

(cherry picked from commit c03df9bb6f8cd71a67ef9505fcafa27d514a68ad)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 0761de6d803976231cf4d21d10af2284f226fe0b..1d8bdaa117b2ca8c8559837e6d679120986b43a1 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2300,9 +2300,17 @@ bool SyncRes::throttledOrBlocked(const std::string& prefix, const ComboAddress&
     return true;
   }
   else if(!pierceDontQuery && s_dontQuery && s_dontQuery->match(&remoteIP)) {
-    LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl);
-    s_dontqueries++;
-    return true;
+    // We could have retrieved an NS from the cache in a forwarding domain
+    // Even in the case of !pierceDontQuery we still want to allow that NS
+    DNSName forwardCandidate(qname);
+    auto it = getBestAuthZone(&forwardCandidate);
+    if (it == t_sstorage.domainmap->end()) {
+      LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl);
+      s_dontqueries++;
+      return true;
+    } else {
+      LOG(prefix<<qname<<": sending query to " << remoteIP.toString() << ", blocked by 'dont-query' but a forwarding/auth case" << endl);
+    }
   }
   return false;
 }