diff options
| author |  Miek Gieben <miek@miek.nl>
| 2018-03-25 17:11:10 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2018-03-25 17:11:10 +0100 |
| commit | 5616fcb175865f2d8ede0460e2537c3b584debad (patch) | |
| tree | d468f2bd8d9d64fffd9a2b659f18e767ec817832 /plugin/proxy/proxy.go | |
| parent | 91413c25e12abdcdfcc3be9b1177251da905e882 (diff) | |
| download | coredns-5616fcb175865f2d8ede0460e2537c3b584debad.tar.gz coredns-5616fcb175865f2d8ede0460e2537c3b584debad.tar.zst coredns-5616fcb175865f2d8ede0460e2537c3b584debad.zip | |
Fix dns-01-003 (#1634)
* plugin/{cache,forward,proxy}: don't allow responses that are bogus
Responses that are not matching what we've been querying for should be
dropped. They are converted into FormErrs by forward and proxy; as a 2nd
backstop cache will also not cache these.
* plug
* add explicit test
Diffstat (limited to 'plugin/proxy/proxy.go')
| -rw-r--r-- | plugin/proxy/proxy.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/plugin/proxy/proxy.go b/plugin/proxy/proxy.go index a5df0b95c..af61f424f 100644 --- a/plugin/proxy/proxy.go +++ b/plugin/proxy/proxy.go @@ -100,6 +100,14 @@ func (p Proxy) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) ( taperr := toDnstap(ctx, host.Name, upstream.Exchanger(), state, reply, start) if backendErr == nil { + + // Check if the reply is correct; if not return FormErr. + if !state.Match(reply) { + formerr := state.ErrorMessage(dns.RcodeFormatError) + w.WriteMsg(formerr) + return 0, taperr + } + w.WriteMsg(reply) RequestDuration.WithLabelValues(state.Proto(), upstream.Exchanger().Protocol(), familyToString(state.Family()), host.Name).Observe(time.Since(start).Seconds()) |