Navigation

Changeset 1211

Timestamp:

06/20/08 21:45:08 (4 months ago)

Author:

ahu

Message:

make sure forward-zones pierces dont-query

Files:

r1205	r1211
143	143	<command>rec_control wipe-cache</command> now also wipes domains from the negative cache, hurrying up the expiry
144	144	of negatively cached records. Suggested by Simon Kirby, implemented in c1204.
	145	</para>
	146	</listitem>
	147	<listitem>
	148	<para>
	149	When a forwarder server is configured for a domain, using the <command>forward-zones</command> setting, this server IP address was
	150	filtered using the <command>dont-query</command> setting, which is generally not what is desired: the server to which queries are
	151	forwarded will often live in private IP space, and the operator should be trusted to know what he is doing. Reported and argued by Simon
	152	Kirby, fix in c1211.
145	153	</para>
146	154	</listitem>

r1189	r1211
625	625	bool doTCP=false;
626	626	int resolveret;
	627	bool pierceDontQuery=false;
627	628
628	629	LWResult lwr;
…	…
635	636	else {
636	637	LOG<<prefix<<qname<<": Trying to resolve NS '"<<*tns<<"' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl;
	638
637	639	if(!isCanonical(*tns)) {
638	640	LOG<<prefix<<qname<<": Domain has hardcoded nameserver(s)"<<endl;
…	…
640	642	pair<string,string> ipport=splitField(*tns, ':');
641	643	ComboAddress addr(ipport.first, ipport.second.empty() ? 53 : lexical_cast<uint16_t>(ipport.second));
642
	644
643	645	remoteIPs.push_back(addr);
644		}
645		else
	646	pierceDontQuery=true;
	647	}
	648	else {
646	649	remoteIPs=getAs(*tns, depth+1, beenthere);
	650	pierceDontQuery=false;
	651	}
647	652
648	653	if(remoteIPs.empty()) {
…	…
671	676	continue;
672	677	}
673		else if(g_dontQuery && g_dontQuery->match(&*remoteIP)) {
	678	else if(!pierceDontQuery && g_dontQuery && g_dontQuery->match(&*remoteIP)) {
674	679	LOG<<prefix<<qname<<": not sending query to " << remoteIP->toString() << ", blocked by 'dont-query' setting" << endl;
675	680	continue;