diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2022-11-26 22:19:29 +0000 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2022-11-26 22:19:29 +0000 |
commit | e939b45c9facb1b2dad688de1ce14457247615e9 (patch) | |
tree | 244e891a490d1661cae1ab1cd2e4b2297918384b /src/forward.c | |
parent | e3068ed111fb5c3d338026406dd6ab24363edea3 (diff) | |
download | dnsmasq-e939b45c9facb1b2dad688de1ce14457247615e9.tar.gz |
Handle malformed DNS replies better.v2.88rc5
If we detect that that reply from usptream is malformed,
transform it into a SERVFAIL reply before sending to the
original requestor.
Diffstat (limited to 'src/forward.c')
-rw-r--r-- | src/forward.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/forward.c b/src/forward.c index b4e3c5a..0f03818 100644 --- a/src/forward.c +++ b/src/forward.c @@ -821,12 +821,22 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server n = rrfilter(header, n, RRFILTER_AAAA); } - if (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure, &doctored)) + switch (extract_addresses(header, n, daemon->namebuff, now, ipsets, nftsets, is_sign, check_rebind, no_cache, cache_secure, &doctored)) { + case 1: my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff); munged = 1; cache_secure = 0; ede = EDE_BLOCKED; + break; + + /* extract_addresses() found a malformed answer. */ + case 2: + munged = 1; + SET_RCODE(header, SERVFAIL); + cache_secure = 0; + ede = EDE_OTHER; + break; } if (doctored) |