plugin/rewrite: Write failures with ResponseReverter (#5150)

* write failures with ResponseReverter instead of letting server write them

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

* fix comment

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

1 files changed, 11 insertions, 1 deletions

diff --git a/plugin/rewrite/rewrite.go b/plugin/rewrite/rewrite.go
index a1e474c29..c315fa73a 100644
--- a/plugin/rewrite/rewrite.go
+++ b/plugin/rewrite/rewrite.go
@@ -57,7 +57,17 @@ func (rw Rewrite) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg
 				if !rw.RevertPolicy.DoRevert() {
 					return plugin.NextOrFailure(rw.Name(), rw.Next, ctx, w, r)
 				}
-				return plugin.NextOrFailure(rw.Name(), rw.Next, ctx, wr, r)
+				rcode, err := plugin.NextOrFailure(rw.Name(), rw.Next, ctx, wr, r)
+				if plugin.ClientWrite(rcode) {
+					return rcode, err
+				}
+				// The next plugins didn't write a response, so write one now with the ResponseReverter.
+				// If server.ServeDNS does this then it will create an answer mismatch.
+				res := new(dns.Msg).SetRcode(r, rcode)
+				state.SizeAndDo(res)
+				wr.WriteMsg(res)
+				// return success, so server does not write a second error response to client
+				return dns.RcodeSuccess, err
 			}
 		}
 	}