ref: 9d2f21b2cfafd9f30ae082dbc599e6e9994e2044
parent: 761452154a7d15aa519bb799313c151c26440914
author: Jacob Moody <moody@posixcafe.org>
date: Fri Aug 30 22:23:05 EDT 2024
ndb/dns: refuse recursive requests harder when given -R (thanks be0ba) Before we would refuse to recurse, but would still give a response with hints back. Some nefarious clients will interpret the lack of a Refused response code as us being an open resolver.
--- a/sys/src/cmd/ndb/dnserver.c
+++ b/sys/src/cmd/ndb/dnserver.c
@@ -65,7 +65,8 @@
if(cfg.nonrecursive
|| cfg.localrecursive && !localip(srcip)){/* we don't recurse and we're not authoritative */
- neg = nil;
+ setercode(repp, Rrefused);
+ return;
} else {repp->flags |= Fcanrec;
if(reqp->flags & Frecurse){--
⑨