From 96491e6cfb1575c3b2023be841c22ccb4b7db59d Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Fri, 5 Jun 2020 11:51:18 +0200 Subject: [PATCH] First stab at solving the issue when gettag_ffi sets an answer but we also have an RPZ hit. --- pdns/pdns_recursor.cc | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 6d4914589a..74547a6267 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1431,16 +1431,6 @@ static void startDoResolve(void *p) sr.setCacheOnly(); } - if (dc->d_rcode != boost::none) { - /* we have a response ready to go, most likely from gettag_ffi */ - ret = std::move(dc->d_records); - res = *dc->d_rcode; - if (res == RCode::NoError && dc->d_followCNAMERecords) { - res = followCNAMERecords(ret, QType(dc->d_mdp.d_qtype)); - } - goto haveAnswer; - } - if (t_pdl) { t_pdl->prerpz(dq, res); } @@ -1452,6 +1442,21 @@ static void startDoResolve(void *p) } } + // If we are doing RPZ and a policy was matched, it takes precedence over an answer from gettag_ffi + // So process the gettag_ffi answer only if no RPZ action was done or matched + // This might need more sophistication for the type != None && kind == NoAction case... + if (!wantsRPZ || appliedPolicy.d_type == DNSFilterEngine::PolicyType::None || appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NoAction) { + if (dc->d_rcode != boost::none) { + /* we have a response ready to go, most likely from gettag_ffi */ + ret = std::move(dc->d_records); + res = *dc->d_rcode; + if (res == RCode::NoError && dc->d_followCNAMERecords) { + res = followCNAMERecords(ret, QType(dc->d_mdp.d_qtype)); + } + goto haveAnswer; + } + } + // if there is a RecursorLua active, and it 'took' the query in preResolve, we don't launch beginResolve if (!t_pdl || !t_pdl->preresolve(dq, res)) { -- 2.47.3