From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Fri, 20 Jun 2008 19:45:08 +0000 (+0000)
Subject: make sure forward-zones pierces dont-query
X-Git-Tag: rec-3.1.7.1~30
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c21f389006168b5e6f2e98723874ca77992d597;p=thirdparty%2Fpdns.git

make sure forward-zones pierces dont-query


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1211 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/docs/pdns.sgml b/pdns/docs/pdns.sgml
index de3bf5509c..bdef81573a 100644
--- a/pdns/docs/pdns.sgml
+++ b/pdns/docs/pdns.sgml
@@ -144,6 +144,14 @@
 	      of negatively cached records. Suggested by Simon Kirby, implemented in c1204.
 	    </para>
 	  </listitem>
+	  <listitem>
+	    <para>
+	      When a forwarder server is configured for a domain, using the <command>forward-zones</command> setting, this server IP address was
+	      filtered using the <command>dont-query</command> setting, which is generally not what is desired: the server to which queries are
+	      forwarded will often live in private IP space, and the operator should be trusted to know what he is doing. Reported and argued by Simon
+	      Kirby, fix in c1211.
+	    </para>
+	  </listitem>
 
 	  <listitem>
 	    <para>
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 71415c78b5..9647e9f77e 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -624,6 +624,7 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
       remoteIPs_t::const_iterator remoteIP;
       bool doTCP=false;
       int resolveret;
+      bool pierceDontQuery=false;
 
       LWResult lwr;
       if(tns->empty()) {
@@ -634,16 +635,20 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
       }
       else {
 	LOG<<prefix<<qname<<": Trying to resolve NS '"<<*tns<<"' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl;
+
 	if(!isCanonical(*tns)) {
 	  LOG<<prefix<<qname<<": Domain has hardcoded nameserver(s)"<<endl;
 
 	  pair<string,string> ipport=splitField(*tns, ':');
 	  ComboAddress addr(ipport.first, ipport.second.empty() ? 53 : lexical_cast<uint16_t>(ipport.second));
-
+	  
 	  remoteIPs.push_back(addr);
+	  pierceDontQuery=true;
 	}
-	else
+	else {
 	  remoteIPs=getAs(*tns, depth+1, beenthere);
+	  pierceDontQuery=false;
+	}
 
 	if(remoteIPs.empty()) {
 	  LOG<<prefix<<qname<<": Failed to get IP for NS "<<*tns<<", trying next if available"<<endl;
@@ -670,7 +675,7 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
 	    s_throttledqueries++; d_throttledqueries++;
 	    continue;
 	  } 
-	  else if(g_dontQuery && g_dontQuery->match(&*remoteIP)) {
+	  else if(!pierceDontQuery && g_dontQuery && g_dontQuery->match(&*remoteIP)) {
 	    LOG<<prefix<<qname<<": not sending query to " << remoteIP->toString() << ", blocked by 'dont-query' setting" << endl;
 	    continue;
 	  }