plugin/acl : add support for Extended DNS Errors (#5532)

* plugin/acl : add support for Extended DNS Errors

Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>

* fixup! plugin/acl : add support for Extended DNS Errors

Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>

1 files changed, 10 insertions, 4 deletions

diff --git a/plugin/acl/acl.go b/plugin/acl/acl.go
index 95a5c65eb..017a8ac6b 100644
--- a/plugin/acl/acl.go
+++ b/plugin/acl/acl.go
@@ -69,8 +69,11 @@ RulesCheckLoop:
 		switch action {
 		case actionBlock:
 			{
-				m := new(dns.Msg)
-				m.SetRcode(r, dns.RcodeRefused)
+				m := new(dns.Msg).
+					SetRcode(r, dns.RcodeRefused).
+					SetEdns0(4096, true)
+				ede := dns.EDNS0_EDE{InfoCode: dns.ExtendedErrorCodeBlocked}
+				m.IsEdns0().Option = append(m.IsEdns0().Option, &ede)
 				w.WriteMsg(m)
 				RequestBlockCount.WithLabelValues(metrics.WithServer(ctx), zone).Inc()
 				return dns.RcodeSuccess, nil
@@ -81,8 +84,11 @@ RulesCheckLoop:
 			}
 		case actionFilter:
 			{
-				m := new(dns.Msg)
-				m.SetRcode(r, dns.RcodeSuccess)
+				m := new(dns.Msg).
+					SetRcode(r, dns.RcodeSuccess).
+					SetEdns0(4096, true)
+				ede := dns.EDNS0_EDE{InfoCode: dns.ExtendedErrorCodeFiltered}
+				m.IsEdns0().Option = append(m.IsEdns0().Option, &ede)
 				w.WriteMsg(m)
 				RequestFilterCount.WithLabelValues(metrics.WithServer(ctx), zone).Inc()
 				return dns.RcodeSuccess, nil