If we already performed a resolution before, even partial, don't retry

(at least until the TTL expires) So, if www.google.com is cloaked, and forcesafesearch returns a A record but no AAAA, return the cloaked A record for A queries, but don't return the actual AAAA record for AAAA queries: return a synthetic empty response instead.
2018-02-04 02:21:07 +01:00 · 2018-02-04 02:21:07 +01:00 · 18167c0f47
parent 5c18c51116
commit 18167c0f47
1 changed files with 9 additions and 15 deletions
--- a/dnscrypt-proxy/plugin_cloak.go
+++ b/dnscrypt-proxy/plugin_cloak.go
@ -105,13 +105,7 @@ func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 	if cloakedName == nil {
 		return nil
 	}
-	var ip *net.IP
-	if question.Qtype == dns.TypeA {
-		ip = cloakedName.ipv4
-	} else {
-		ip = cloakedName.ipv6
-	}
-	if ip == nil && !cloakedName.isIP {
+	if cloakedName.ipv4 == nil && cloakedName.ipv6 == nil && !cloakedName.isIP {
 		foundIPs, err := net.LookupIP(cloakedName.target)
 		if err != nil {
 			return nil
@ -128,20 +122,20 @@ func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 			}
 		}
 		plugin.Unlock()
-		if question.Qtype == dns.TypeA {
-			ip = cloakedName.ipv4
-		} else {
-			ip = cloakedName.ipv6
-		}
 	}
-	if ip == nil {
-		return nil
+	var ip *net.IP
+	if question.Qtype == dns.TypeA {
+		ip = cloakedName.ipv4
+	} else {
+		ip = cloakedName.ipv6
 	}
 	synth, err := EmptyResponseFromMessage(msg)
 	if err != nil {
 		return err
 	}
-	if question.Qtype == dns.TypeA {
+	if ip == nil {
+		synth.Answer = []dns.RR{}
+	} else if question.Qtype == dns.TypeA {
 		rr := new(dns.A)
 		rr.Hdr = dns.RR_Header{Name: question.Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 1}
 		rr.A = *ip