From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 31 Mar 2026 10:16:37 +0000 (+0200)
Subject: Merge pull request #17068 from rgacogne/ddist-YWH-PGM6095-87
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbd806ba1258aa386f703b4eefd2debeb8edf1a3;p=thirdparty%2Fpdns.git

Merge pull request #17068 from rgacogne/ddist-YWH-PGM6095-87

dnsdist: Fix DoH ACL bypass when early ACL check is disabled
---

cbd806ba1258aa386f703b4eefd2debeb8edf1a3
diff --cc regression-tests.dnsdist/test_DOH.py
index b54bccc777,665eabf12a..9c265e62bb
--- a/regression-tests.dnsdist/test_DOH.py
+++ b/regression-tests.dnsdist/test_DOH.py
@@@ -1744,12 -1578,65 +1744,66 @@@ class DOHForwardedForNoTrusted(object)
  
          self.assertTrue(dropped)
  
 +
  class TestDOHForwardedForNoTrustedNGHTTP2(DOHForwardedForNoTrusted, DNSDistDOHTest):
 -    _dohLibrary = 'nghttp2'
 +    _dohLibrary = "nghttp2"
 +
  
+ class DOHDelayedACL(DNSDistDOHTest):
+ 
+     _serverKey = 'server.key'
+     _serverCert = 'server.chain'
+     _serverName = 'tls.tests.dnsdist.org'
+     _caCert = 'ca.pem'
+     _dohServerPort = pickAvailablePort()
+     _dohBaseURL = ("https://%s:%d/" % (_serverName, _dohServerPort))
+     _dohLibrary = 'nghttp2'
+     _yaml_config_template = """
+ acl:
+   - "192.0.2.1/32"
+ backends:
+   - address: "127.0.0.1:%d"
+     protocol: "Do53"
+ binds:
+   - listen_address: "127.0.0.1:%d"
+     reuseport: true
+     protocol: "DoH"
+     tls:
+       certificates:
+         - certificate: "%s"
+           key: "%s"
+     doh:
+       provider: "%s"
+       paths:
+         - "/"
+       early_acl_drop: false
+ """
+     _yaml_config_params = ['_testServerPort', '_dohServerPort', '_serverCert', '_serverKey', '_dohLibrary']
+     _config_params = []
+     _verboseMode = True
+ 
+     def testDOHDelayedACL(self):
+         """
+         DOH: Delayed ACL check
+         """
+         name = 'delayed-acl-drop.doh.tests.powerdns.com.'
+         query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
+         query.id = 0
+         expectedQuery = dns.message.make_query(name, 'A', 'IN', use_edns=True, payload=4096)
+         expectedQuery.id = 0
+         response = dns.message.make_response(query)
+         rrset = dns.rrset.from_text(name,
+                                     3600,
+                                     dns.rdataclass.IN,
+                                     dns.rdatatype.A,
+                                     '127.0.0.1')
+         response.answer.append(rrset)
+ 
+         (receivedQuery, receivedResponse) = self.sendDOHQuery(self._dohServerPort, self._serverName, self._dohBaseURL, query, response=response, caFile=self._caCert, useQueue=False, rawResponse=True)
+         self.assertEqual(self._rcode, 403)
+         self.assertEqual(receivedResponse, b'DoH query not allowed because of ACL')
+ 
  class DOHFrontendLimits(object):
 -
      # this test suite uses a different responder port
      # because it uses a different health check configuration
      _testServerPort = pickAvailablePort()