core: block CH queries earlier (#973)

block chaos queries, unless the chaos or proxy middleware is loaded. We respond with REFUSED. This removes the need for each middleware to do this class != ClassINET if-then. Also make config.Registry non-public.
2025-12-19 16:45:11 -05:00 · 2017-08-25 08:55:53 +01:00
parent 932639ac99
commit 55dafe6f59
8 changed files with 18 additions and 29 deletions
--- a/core/dnsserver/server.go
+++ b/core/dnsserver/server.go
@@ -37,9 +37,11 @@ type Server struct {
 	connTimeout time.Duration      // the maximum duration of a graceful shutdown
 	trace       trace.Trace        // the trace middleware for the server
 	debug       bool               // disable recover()
+	classChaos  bool               // allow non-INET class queries
 }

-// NewServer returns a new CoreDNS server and compiles all middleware in to it.
+// NewServer returns a new CoreDNS server and compiles all middleware in to it. By default CH class
+// queries are blocked unless the chaos or proxy is loaded.
 func NewServer(addr string, group []*Config) (*Server, error) {

 	s := &Server{
@@ -77,6 +79,9 @@ func NewServer(addr string, group []*Config) (*Server, error) {
 					s.trace = t
 				}
 			}
+			if stack.Name() == "chaos" || stack.Name() == "proxy" {
+				s.classChaos = true
+			}
 		}
 		site.middlewareChain = stack
 	}
@@ -184,6 +189,11 @@ func (s *Server) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg)
 		}()
 	}

+	if !s.classChaos && r.Question[0].Qclass != dns.ClassINET {
+		DefaultErrorFunc(w, r, dns.RcodeRefused)
+		return
+	}
+
 	if m, err := edns.Version(r); err != nil { // Wrong EDNS version, return at once.
 		w.WriteMsg(m)
 		return