From: Ronan Pigott Date: Thu, 7 Mar 2024 21:27:52 +0000 (-0700) Subject: resolved: refuse queries with no suitable scope X-Git-Tag: v256-rc1~584^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4f2da49fcd333dcd1542278dce5b9642dcdeb984;p=thirdparty%2Fsystemd.git resolved: refuse queries with no suitable scope In some cases there is no configured server to answer a given question, because all scopes refused the query. In this case we currently return rcode SERVFAIL. In dns it is customary for authoritative nameservers to return REFUSED where the question is outside of their authority. This is better than SERVFAIL because it informs the client that they aren't likely to get an answer out of us anytime soon, and either the configuration, or the query, need to change. Similar logic invites us to use use the rcode REFUSED on the stub if we aren't configured with any suitable scope for this question. --- diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c index 87f7aab6e93..378d55e2302 100644 --- a/src/resolve/resolved-dns-stub.c +++ b/src/resolve/resolved-dns-stub.c @@ -837,6 +837,10 @@ static void dns_stub_query_complete(DnsQuery *query) { break; case DNS_TRANSACTION_NO_SERVERS: + /* We're not configured to give answers for this question. Refuse it. */ + (void) dns_stub_send_reply(q, DNS_RCODE_REFUSED); + break; + case DNS_TRANSACTION_INVALID_REPLY: case DNS_TRANSACTION_ERRNO: case DNS_TRANSACTION_ABORTED: