summaryrefslogtreecommitdiffstats
path: root/src/resolve/resolved-dns-cache.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/resolve/resolved-dns-cache.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index a9a6492..e90915e 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -531,6 +531,20 @@ static int dns_cache_put_positive(
TAKE_PTR(i);
return 0;
}
+/* https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml */
+/* https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml#transport-independent */
+static bool dns_special_use_domain_invalid_answer(DnsResourceKey *key, int rcode) {
+ /* Sometimes we know a domain exists, even if broken nameservers say otherwise. Make sure not to
+ * cache any answers we know are wrong. */
+
+ /* RFC9462 ยง 6.4: resolvers SHOULD respond to queries of any type other than SVCB for
+ * _dns.resolver.arpa. with NODATA and queries of any type for any domain name under resolver.arpa
+ * with NODATA. */
+ if (dns_name_endswith(dns_resource_key_name(key), "resolver.arpa") > 0 && rcode == DNS_RCODE_NXDOMAIN)
+ return true;
+
+ return false;
+}
static int dns_cache_put_negative(
DnsCache *c,
@@ -561,6 +575,8 @@ static int dns_cache_put_negative(
return 0;
if (dns_type_is_pseudo(key->type))
return 0;
+ if (dns_special_use_domain_invalid_answer(key, rcode))
+ return 0;
if (IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) {
if (!soa)