From: Pieter Lexis Date: Mon, 20 Sep 2021 09:19:38 +0000 (+0200) Subject: COOKIE: Only send BADCOOKIE over UDP X-Git-Tag: dnsdist-1.7.0-alpha1~3^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=71e1eed5be03d120d38712a7fa7f60c58e130fe5;p=thirdparty%2Fpdns.git COOKIE: Only send BADCOOKIE over UDP --- diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 8dd451153f..87f398ae42 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -1304,7 +1304,7 @@ std::unique_ptr PacketHandler::doQuestion(DNSPacket& p) r->setRcode(RCode::FormErr); return r; } - if (!p.hasValidEDNSCookie()) { + if (!p.hasValidEDNSCookie() && !p.d_tcp) { r = p.replyPacket(); r->setEDNSRcode(ERCode::BADCOOKIE); return r; diff --git a/regression-tests.auth-py/test_Cookies.py b/regression-tests.auth-py/test_Cookies.py index 0eec8d954e..ba67da8978 100644 --- a/regression-tests.auth-py/test_Cookies.py +++ b/regression-tests.auth-py/test_Cookies.py @@ -78,6 +78,17 @@ www.example.org. 3600 IN A 192.0.2.5 self.assertTrue(any([opt.otype == dns.edns.COOKIE for opt in res.options])) + def testOnlyClientCookieTCP(self): + opts = [ + dns.edns.GenericOption(dns.edns.COOKIE, + b'\x22\x11\x33\x44\x55\x66\x77\x88')] + query = dns.message.make_query('www.example.org', 'A', options=opts) + res = self.sendTCPQuery(query) + self.assertRcodeEqual(res, dns.rcode.NOERROR) + self.assertTrue(any(opt.otype == dns.edns.COOKIE for + opt in res.options)) + + def testCorrectCookie(self): opts = [self.getCookieFromServer()] query = dns.message.make_query('www.example.org', 'A', options=opts)