From 31aa04c1c5b4805ec97aaefefe0ae95b178b9bb5 Mon Sep 17 00:00:00 2001
From: Shreyas Zare <shreyas@technitium.com>
Date: Sun, 5 Feb 2023 16:37:15 +0530
Subject: [PATCH] DnsServer: Updated ProcessConnectionAsync() to add timeout
 condition for AuthenticateAsServerAsync() call. Updated ProcessAPPAsync() to
 decide on correct RCODE to be used for response.

---
 DnsServerCore/Dns/DnsServer.cs | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/DnsServerCore/Dns/DnsServer.cs b/DnsServerCore/Dns/DnsServer.cs
index 40415fdc..e8b356ba 100644
--- a/DnsServerCore/Dns/DnsServer.cs
+++ b/DnsServerCore/Dns/DnsServer.cs
@@ -515,7 +515,7 @@ namespace DnsServerCore.Dns
 
                     case DnsTransportProtocol.Tls:
                         SslStream tlsStream = new SslStream(new NetworkStream(socket));
-                        await tlsStream.AuthenticateAsServerAsync(_certificate);
+                        await tlsStream.AuthenticateAsServerAsync(_certificate).WithTimeout(_tcpReceiveTimeout);
 
                         await ReadStreamRequestAsync(tlsStream, remoteEP, protocol);
                         break;
@@ -524,6 +524,10 @@ namespace DnsServerCore.Dns
                         throw new InvalidOperationException();
                 }
             }
+            catch (TimeoutException)
+            {
+                //ignore timeout exception on TLS auth
+            }
             catch (IOException)
             {
                 //ignore IO exceptions
@@ -1945,11 +1949,14 @@ namespace DnsServerCore.Dns
                     DnsDatagram appResponse = await appRecordRequestHandler.ProcessRequestAsync(request, remoteEP, protocol, isRecursionAllowed, zoneInfo.Name, appResourceRecord.Name, appResourceRecord.TTL, appRecord.Data);
                     if (appResponse is null)
                     {
+                        DnsResponseCode rcode;
                         IReadOnlyList<DnsResourceRecord> authority = null;
 
                         if (zoneInfo.Type == AuthZoneType.Forwarder)
                         {
                             //return FWD response
+                            rcode = DnsResponseCode.NoError;
+
                             if (!zoneInfo.Name.Equals(appResourceRecord.Name, StringComparison.OrdinalIgnoreCase))
                             {
                                 AuthZone authZone = _authZoneManager.GetAuthZone(zoneInfo.Name, appResourceRecord.Name);
@@ -1962,11 +1969,16 @@ namespace DnsServerCore.Dns
                         }
                         else
                         {
-                            //return NO DATA response
+                            //return NODATA/NXDOMAIN response
+                            if (request.Question[0].Name.Length > appResourceRecord.Name.Length)
+                                rcode = DnsResponseCode.NxDomain;
+                            else
+                                rcode = DnsResponseCode.NoError;
+
                             authority = zoneInfo.GetApexRecords(DnsResourceRecordType.SOA);
                         }
 
-                        return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, DnsResponseCode.NoError, request.Question, null, authority) { Tag = DnsServerResponseType.Authoritative };
+                        return new DnsDatagram(request.Identifier, true, request.OPCODE, false, false, request.RecursionDesired, isRecursionAllowed, false, false, rcode, request.Question, null, authority) { Tag = DnsServerResponseType.Authoritative };
                     }
                     else
                     {