From: Matthijs Mekking Date: Mon, 8 Mar 2021 16:12:25 +0000 (+0100) Subject: Add EDE to query messages X-Git-Tag: v9.17.21~28^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ca7f2fd90373a3198fc4d78e1c946c9441313755;p=thirdparty%2Fbind9.git Add EDE to query messages Add extended DNS error on refused queries. All instances are related to unauthorized clients, so set extended DNS error code 18 (Prohibited). --- diff --git a/lib/ns/client.c b/lib/ns/client.c index a35f06a1312..0825fc3e30d 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -2051,6 +2051,7 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1), "no matching view in class '%s'", classname); ns_client_dumpmessage(client, "no matching view in class"); + ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL); ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_REFUSED); return; } @@ -2580,6 +2581,7 @@ allow: return (ISC_R_SUCCESS); deny: + ns_client_extendederror(client, DNS_EDE_PROHIBITED, NULL); return (DNS_R_REFUSED); } diff --git a/lib/ns/query.c b/lib/ns/query.c index 7470def2c4f..bf95b49f5a7 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -863,7 +863,7 @@ query_checkcacheaccess(ns_client_t *client, const dns_name_t *name, /* * The view's cache ACLs have not yet been evaluated. * Do it now. Both allow-query-cache and - * allow-query-cache-on must be satsified. + * allow-query-cache-on must be satisfied. */ bool log = ((options & DNS_GETDB_NOLOG) == 0); char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; @@ -890,19 +890,24 @@ query_checkcacheaccess(ns_client_t *client, const dns_name_t *name, ISC_LOG_DEBUG(3), "%s approved", msg); } - } else if (log) { + } else { /* * We were denied by the "allow-query-cache" ACL. * There is no need to clear NS_QUERYATTR_CACHEACLOK * since it is cleared by query_reset(), before query * processing starts. */ - ns_client_aclmsg("query (cache)", name, qtype, - client->view->rdclass, msg, - sizeof(msg)); - ns_client_log(client, DNS_LOGCATEGORY_SECURITY, - NS_LOGMODULE_QUERY, ISC_LOG_INFO, - "%s denied", msg); + ns_client_extendederror(client, DNS_EDE_PROHIBITED, + NULL); + + if (log) { + ns_client_aclmsg("query (cache)", name, qtype, + client->view->rdclass, msg, + sizeof(msg)); + ns_client_log(client, DNS_LOGCATEGORY_SECURITY, + NS_LOGMODULE_QUERY, ISC_LOG_INFO, + "%s denied", msg); + } } /* @@ -1029,6 +1034,8 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name, ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_QUERY, ISC_LOG_INFO, "%s denied", msg); + ns_client_extendederror(client, DNS_EDE_PROHIBITED, + NULL); } } @@ -1057,6 +1064,10 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name, result = ns_client_checkaclsilent(client, &client->destaddr, queryonacl, true); + if (result != ISC_R_SUCCESS) { + ns_client_extendederror(client, DNS_EDE_PROHIBITED, + NULL); + } if ((options & DNS_GETDB_NOLOG) == 0 && result != ISC_R_SUCCESS) { ns_client_log(client, DNS_LOGCATEGORY_SECURITY,