OpenWrt – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From 122392e0b352507cabb9e982208d35d2e56902e0 Mon Sep 17 00:00:00 2001 |
2 | From: Simon Kelley <simon@thekelleys.org.uk> |
||
3 | Date: Wed, 31 Oct 2018 22:24:02 +0000 |
||
4 | Subject: [PATCH 09/32] Revert 68f6312d4bae30b78daafcd6f51dc441b8685b1e |
||
5 | |||
6 | The above is intended to increase robustness, but actually does the |
||
7 | opposite. The problem is that by ignoring SERVFAIL messages and hoping |
||
8 | for a better answer from another of the servers we've forwarded to, |
||
9 | we become vulnerable in the case that one or more of the configured |
||
10 | servers is down or not responding. |
||
11 | |||
12 | Consider the case that a domain is indeed BOGUS, and we've send the |
||
13 | query to n servers. With 68f6312d4bae30b78daafcd6f51dc441b8685b1e |
||
14 | we ignore the first n-1 SERVFAIL replies, and only return the |
||
15 | final n'th answer to the client. Now, if one of the servers we are |
||
16 | forwarding to is down, then we won't get all n replies, and the |
||
17 | client will never get an answer! This is a far more likely scenario |
||
18 | than a temporary SERVFAIL from only one of a set of notionally identical |
||
19 | servers, so, on the ground of robustness, we have to believe |
||
20 | any SERVFAIL answers we get, and return them to the client. |
||
21 | |||
22 | The client could be using the same recursive servers we are, |
||
23 | so it should, in theory, retry on SERVFAIL anyway. |
||
24 | |||
25 | Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> |
||
26 | --- |
||
27 | src/forward.c | 3 +-- |
||
28 | 1 file changed, 1 insertion(+), 2 deletions(-) |
||
29 | |||
30 | --- a/src/forward.c |
||
31 | +++ b/src/forward.c |
||
32 | @@ -957,8 +957,7 @@ void reply_query(int fd, int family, tim |
||
33 | we get a good reply from another server. Kill it when we've |
||
34 | had replies from all to avoid filling the forwarding table when |
||
35 | everything is broken */ |
||
36 | - if (forward->forwardall == 0 || --forward->forwardall == 1 || |
||
37 | - (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL)) |
||
38 | + if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED) |
||
39 | { |
||
40 | int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; |
||
41 |