policy: add REFUSE policy

Fixes: #337

policy: add REFUSE policy
Fixes: #337
9f7f25ea · Petr Špaček · Grigorii Demidov · 580a7ed4 · 9f7f25ea · 9f7f25ea
Commit 9f7f25ea authored 6 years ago by Petr Špaček Committed by Grigorii Demidov 6 years ago
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,10 @@ Security
  (!550, !558, security!2, security!4)
 - increase resilience against slow lorris attack (security!5)

+New features
+------------
+- new policy.REFUSE to reply REFUSED to clients
+
 Bugfixes
 --------
 - validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone (!538)

--- a/modules/policy/README.rst
+++ b/modules/policy/README.rst
@@ -34,6 +34,7 @@ An *action* is function which modifies DNS query. There are several actions avai
 * ``DENY`` - reply NXDOMAIN authoritatively
 * ``DENY_MSG(msg)`` - reply NXDOMAIN authoritatively and add explanatory message to additional section
 * ``DROP`` - terminate query resolution and return SERVFAIL to the requestor
+* ``REFUSE`` - terminate query resolution and return REFUSED to the requestor
 * ``TC`` - set TC=1 if the request came through UDP, forcing client to retry with TCP
 * ``FORWARD(ip)`` - resolve a query via forwarding to an IP while validating and caching locally;
 * ``TLS_FORWARD({{ip, authentication}})`` - resolve a query via TLS connection forwarding to an IP while validating and caching locally;

--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -491,6 +491,12 @@ function policy.DROP(_, _)
 	return kres.FAIL
 end

+function policy.REFUSE(_, req)
+	local answer = req.answer
+	answer:rcode(kres.rcode.REFUSED)
+	return kres.DONE
+end
+
 function policy.TC(state, req)
 	local answer = req.answer
 	if answer.max_size ~= 65535 then