From 67179e8973aa27e92ebc03d293c22e8b9a10ee82 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 21 Jan 2022 10:52:02 +1100 Subject: [PATCH] Check that the forward declaration is unchanged and not overridden If we are using a fowarder, in addition to checking that names to be cached are subdomains of the forwarded namespace, we must also check that there are no subsidiary forwarded namespaces which would take precedence. To be safe, we don't cache any responses if the forwarding configuration has changed since the query was sent. --- lib/dns/resolver.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 29828698b2..efe4a438b5 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -6768,7 +6768,31 @@ mark_related(dns_name_t *name, dns_rdataset_t *rdataset, bool external, static inline bool name_external(const dns_name_t *name, fetchctx_t *fctx) { if (ISFORWARDER(fctx->addrinfo)) { - return (!dns_name_issubdomain(name, fctx->fwdname)); + isc_result_t result; + dns_fixedname_t fixed; + dns_forwarders_t *forwarders = NULL; + dns_name_t *fname; + + if (!dns_name_issubdomain(name, fctx->fwdname)) { + return (true); + } + + /* + * Is there a child forwarder declaration that is better? + * This lookup should always succeed if the configuration + * has not changed. + */ + fname = dns_fixedname_initname(&fixed); + result = dns_fwdtable_find(fctx->res->view->fwdtable, name, fname, + &forwarders); + if (result == ISC_R_SUCCESS) { + return (!dns_name_equal(fname, fctx->fwdname)); + } + + /* + * Play it safe if the configuration has changed. + */ + return (true); } return (!dns_name_issubdomain(name, fctx->domain));