From 30e1880253102a06cd17d0c3c2ff1835c92a3da7 Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Mon, 20 Nov 2006 13:53:44 +0000 Subject: [PATCH] Lock out "A-for-A" DNS lookups. --- doc/doc-txt/ChangeLog | 8 +++++++- src/src/dns.c | 18 ++++++++++++++++-- 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 216cf5f7b..629762d4c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.437 2006/11/20 11:57:56 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.438 2006/11/20 13:53:44 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -325,6 +325,12 @@ JJ/07 exipick.20061117.2, added $received_ip_address and $received_port PH/46 Applied Jori Hamalainen's patch to add features to exiqsumm. +PH/47 Put in an explicit test for a DNS lookup of an address record where the + "domain" is actually an IP address, and force a failure. This locks out + those revolvers/nameservers that support "A-for-A" lookups, in + contravention of the specifications. + + Exim version 4.63 diff --git a/src/src/dns.c b/src/src/dns.c index b86762ed4..a6c6d053b 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/dns.c,v 1.15 2006/11/07 14:13:19 ph10 Exp $ */ +/* $Cambridge: exim/src/src/dns.c,v 1.16 2006/11/20 13:53:44 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -453,6 +453,7 @@ Arguments: Returns: DNS_SUCCEED successful lookup DNS_NOMATCH name not found (NXDOMAIN) or name contains illegal characters (if checking) + or name is an IP address (for IP address lookup) DNS_NODATA domain exists, but no data for this type (NODATA) DNS_AGAIN soft failure, try again later DNS_FAIL DNS failure @@ -539,7 +540,20 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR) number of bytes the message would need, so we need to check for this case. The effect is to truncate overlong data. -If we are running in the test harness, instead of calling the normal resolver +On some systems, res_search() will recognize "A-for-A" queries and return +the IP address instead of returning -1 with h_error=HOST_NOT_FOUND. Some +nameservers are also believed to do this. It is, of course, contrary to the +specification of the DNS, so we lock it out. */ + +if (( + #ifdef SUPPORT_A6 + type == T_A6 || + #endif + type == T_A || type == T_AAAA) && + string_is_ip_address(name, NULL) != 0) + return DNS_NOMATCH; + +/* If we are running in the test harness, instead of calling the normal resolver (res_search), we call fakens_search(), which recognizes certain special domains, and interfaces to a fake nameserver for certain special zones. */ -- 2.25.1