From: Artem Boldariev <artem@boldariev.com>
Date: Tue, 17 Dec 2024 14:24:29 +0000 (+0200)
Subject: BIND - enable TLS SNI support for outgoing TLS connections
X-Git-Tag: v9.21.4~12^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=740292d3ec6b9cc0906756067c35750903057bfb;p=thirdparty%2Fbind9.git

BIND - enable TLS SNI support for outgoing TLS connections

This commit ensures that BIND enables TLS SNI support for outgoing DoT
connections (when possible) in order to improve compatibility with
other DNS server software.
---

diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 74080270acc..5484caffc94 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -2005,10 +2005,16 @@ tcp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 			      "connecting from %s to %s, timeout %u", localbuf,
 			      peerbuf, resp->timeout);
 
+		char *hostname = NULL;
+		if (resp->transport != NULL) {
+			hostname = dns_transport_get_remote_hostname(
+				resp->transport);
+		}
+
 		isc_nm_streamdnsconnect(disp->mgr->nm, &disp->local,
 					&disp->peer, tcp_connected, disp,
-					resp->timeout, tlsctx, NULL, sess_cache,
-					ISC_NM_PROXY_NONE, NULL);
+					resp->timeout, tlsctx, hostname,
+					sess_cache, ISC_NM_PROXY_NONE, NULL);
 		break;
 
 	case DNS_DISPATCHSTATE_CONNECTING: