From: Karel Bilek Date: Mon, 25 Mar 2024 13:21:01 +0000 (+0100) Subject: Do shuffle TCP responses except *XFRs X-Git-Tag: rec-5.1.0-alpha1~61^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ca9d9b9583b5673e28b9bd9c9dbd2174096758e6;p=thirdparty%2Fpdns.git Do shuffle TCP responses except *XFRs Fixes #13003 --- diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc index a69d9f1edb..63a98041ea 100644 --- a/pdns/dnspacket.cc +++ b/pdns/dnspacket.cc @@ -279,7 +279,7 @@ void DNSPacket::wrapup(bool throwsOnTruncation) }); static bool mustNotShuffle = ::arg().mustDo("no-shuffle"); - if(!d_tcp && !mustNotShuffle) { + if(!d_xfr && !mustNotShuffle) { pdns::shuffle(d_rrs); } d_wrapped=true; @@ -453,6 +453,7 @@ std::unique_ptr DNSPacket::replyPacket() const r->d_haveednscookie = d_haveednscookie; r->d_ednsversion = 0; r->d_ednsrcode = 0; + r->d_xfr = d_xfr; if(d_tsigkeyname.countLabels()) { r->d_tsigkeyname = d_tsigkeyname; diff --git a/pdns/dnspacket.hh b/pdns/dnspacket.hh index 60e3268a9e..446af60f46 100644 --- a/pdns/dnspacket.hh +++ b/pdns/dnspacket.hh @@ -157,7 +157,8 @@ public: uint16_t qclass{QClass::IN}; //!< class of the question - should always be INternet 2 QType qtype; //!< type of the question 2 - bool d_tcp{false}; + bool d_tcp{false}; // whether DNS packet is using TCP (false when UDP) + bool d_xfr{false}; // whether DNS packet is a zone transfer, either AXFR or IXFR bool d_dnssecOk{false}; bool d_havetsig{false}; diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index b84a6b9b4b..e290571458 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -367,11 +367,13 @@ void TCPNameserver::doConnection(int fd) S.inc("tcp-cookie-queries"); if(packet->qtype.getCode()==QType::AXFR) { + packet->d_xfr=true; doAXFR(packet->qdomain, packet, fd); continue; } if(packet->qtype.getCode()==QType::IXFR) { + packet->d_xfr=true; doIXFR(packet, fd); continue; }