From 5de353eba866c38d7cb6fed262d0e49f8468bee0 Mon Sep 17 00:00:00 2001
From: Brian Haley <haleyb.dev@gmail.com>
Date: Fri, 26 May 2023 10:48:04 -0400
Subject: [PATCH] controller: Ignore DNS queries with RRs

DNS queries with optional records (RRs), for example, with
cookies for EDNS, are not supported by the OVN resolver.
Trying to reply will result in mangled responses that
clients do not understand - the ANSWER section will
contain an incorrect option.

Instead, just return early when one is present, which
will trigger a negative response and cause clients to
go to the upstream forwarder, hopefully resulting in a
successful query.

In our testing, the resolver only retries if the
response is correctly formatted, which now happens
with this change.

Reported-at: https://github.com/ovn-org/ovn/issues/192
Reported-by: Nicolas Bock <nicolasbock@gmail.com>
Signed-off-by: Brian Haley <haleyb.dev@gmail.com>
Signed-off-by: 0-day Robot <robot@bytheb.org>
---
 controller/pinctrl.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/controller/pinctrl.c b/controller/pinctrl.c
index b4be220207..93298d6f7e 100644
--- a/controller/pinctrl.c
+++ b/controller/pinctrl.c
@@ -2867,6 +2867,13 @@ pinctrl_handle_dns_lookup(
         goto exit;
     }
 
+    /* Check if there is an additional record present, which is unsupported */
+    if (in_dns_header->arcount) {
+        VLOG_DBG_RL(&rl, "Received DNS query with additional records, which"
+                    " is unsupported");
+        goto exit;
+    }
+
     struct udp_header *in_udp = dp_packet_l4(pkt_in);
     size_t udp_len = ntohs(in_udp->udp_len);
     size_t l4_len = dp_packet_l4_size(pkt_in);