From 94a8815892f538b334d640012eebcafc2c7fa284 Mon Sep 17 00:00:00 2001 From: Martin Wetterwald Date: Thu, 27 Oct 2016 12:17:03 +0200 Subject: [PATCH] Consider SERVFAIL as a non-successful response Treat Servfail as a recoverable error instead of a hard error. A misconfigured dns forwarder upstream can return a Servfail faster than a correctly configured one. In the case of a dnssec misbehaving, it will misbehave on all correctly configured upstreams. In the case of a normal DNS query, the original behavior of dnsmasq here was more robust. --- src/forward.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/src/forward.c +++ b/src/forward.c @@ -853,7 +853,8 @@ void reply_query(int fd, int family, tim we get a good reply from another server. Kill it when we've had replies from all to avoid filling the forwarding table when everything is broken */ - if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED) + if (forward->forwardall == 0 || --forward->forwardall == 1 + || (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL)) { int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;