DnsServer: Updated ProcessConnectionAsync() to add timeout condition for AuthenticateAsServerAsync() call. Updated ProcessAPPAsync() to decide on correct RCODE to be used for response.

2026-01-08 01:34:13 +00:00 · 2023-02-05 16:37:15 +05:30
parent 33714b2ac2
commit 31aa04c1c5
1 changed files with 15 additions and 3 deletions
--- a/DnsServerCore/Dns/DnsServer.cs
+++ b/DnsServerCore/Dns/DnsServer.cs
@@ -515,7 +515,7 @@ namespace DnsServerCore.Dns

                    case DnsTransportProtocol.Tls:
                        SslStream tlsStream = new SslStream(new NetworkStream(socket));
-                        await tlsStream.AuthenticateAsServerAsync(_certificate);
+                        await tlsStream.AuthenticateAsServerAsync(_certificate).WithTimeout(_tcpReceiveTimeout);

                        await ReadStreamRequestAsync(tlsStream, remoteEP, protocol);
                        break;
@@ -524,6 +524,10 @@ namespace DnsServerCore.Dns
                        throw new InvalidOperationException();
                }
            }
+            catch (TimeoutException)
+            {
+                //ignore timeout exception on TLS auth
+            }
            catch (IOException)
            {
                //ignore IO exceptions
@@ -1945,11 +1949,14 @@ namespace DnsServerCore.Dns
                    DnsDatagram appResponse = await appRecordRequestHandler.ProcessRequestAsync(request, remoteEP, protocol, isRecursionAllowed, zoneInfo.Name, appResourceRecord.Name, appResourceRecord.TTL, appRecord.Data);
                    if (appResponse is null)
                    {
+                        DnsResponseCode rcode;
                        IReadOnlyList<DnsResourceRecord> authority = null;

                        if (zoneInfo.Type == AuthZoneType.Forwarder)
                        {
                            //return FWD response
+                            rcode = DnsResponseCode.NoError;
+
                            if (!zoneInfo.Name.Equals(appResourceRecord.Name, StringComparison.OrdinalIgnoreCase))
                            {
                                AuthZone authZone = _authZoneManager.GetAuthZone(zoneInfo.Name, appResourceRecord.Name);
@@ -1962,11 +1969,16 @@ namespace DnsServerCore.Dns
                        }
                        else
                        {
-                            //return NO DATA response
+                            //return NODATA/NXDOMAIN response
+                            if (request.Question[0].Name.Length > appResourceRecord.Name.Length)
+                                rcode = DnsResponseCode.NxDomain;
+                            else
+                                rcode = DnsResponseCode.NoError;
+
                            authority = zoneInfo.GetApexRecords(DnsResourceRecordType.SOA);
                        }

-                        return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.NoError, request.Question, null, authority) { Tag = DnsServerResponseType.Authoritative };
+                        return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, rcode, request.Question, null, authority) { Tag = DnsServerResponseType.Authoritative };
                    }
                    else
                    {