Reset the TCP connection when garbage is received

When invalid DNS message is received, there was a handling mechanism for DoH that would be called to return proper HTTP response. Reuse this mechanism and reset the TCP connection when the client is blackholed, DNS message is completely bogus or the ns_client receives response instead of query.
2025-08-31 14:35:26 +00:00 · 2022-02-15 14:41:15 +01:00
parent 0697288b9d
commit 4716c56ebb
3 changed files with 49 additions and 18 deletions
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -1822,6 +1822,9 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
 		 * There isn't enough header to determine whether
 		 * this was a request or a response.  Drop it.
 		 */
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped request: invalid message header");
 		isc_nm_bad_request(handle);
 		return;
 	}
@@ -1838,7 +1841,9 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
 	 * If it's a TCP response, discard it here.
 	 */
 	if ((flags & DNS_MESSAGEFLAG_QR) != 0) {
-		CTRACE("unexpected response");
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+			      "dropped request: unexpected response");
 		isc_nm_bad_request(handle);
 		return;
 	}