Bug 826 - refuse_non_local could result in a broken response
refuse_non_local could result in a broken response
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
unspecified
Other All
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-31 00:53 CEST by JINMEI Tatuya
Modified: 2016-09-01 16:36 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description JINMEI Tatuya 2016-08-31 00:53:30 CEST
If you configure unbound with refuse_non_local, e.g.:

server:
	access-control: 192.0.2.1/32 refuse_non_local
...

and send a query from this address so it will hit this ACL entry, you
can't see the response from dig:

% dig @192.0.2.1 www.example.com     

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.0.2.1 www.example.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

although unbound certainly refused it:

[1472552720] unbound[4201:0] debug: refused query from ip4 192.0.2.1 port 50686 (len 16)

This is because sldns_buffer_flip() isn't called on return from
deny_refuse_non_local() in worker_handle_request().  You can fix it by
adding a call to 'flip' at that point, but I wonder whether it may be
better to do that in deny_refuse() rather than having all its
implicit/explicit callers do the job.  That would also be more
compatible with, e.g. what chaos_replystr() does.
Comment 1 Wouter Wijngaards 2016-09-01 16:36:03 CEST
Hi Jinmei,

Yes you are correct.  The empty UDP response is not good.  Fixed by calling flip in deny_refuse().

Best regards, Wouter