fix: parse DoT queries up-front and echo question in SERVFAIL

Address review findings on PR #25: - Refactor resolve_query to take a pre-parsed DnsPacket. Parse-error handling moves to the UDP caller, eliminating the double warn! line on malformed UDP queries. - Enforce MIN_MSG_LEN=12 (DNS header) in handle_dot_connection so query_id extraction is always reading client-sent bytes, not the zeroed buffer tail. - Parse the DoT query before calling resolve_query and retain it, so SERVFAIL responses can echo the original question section via response_from(). Parse failures send FORMERR with the client id. - Extract write_framed() helper for length-prefix + flush, reused by success, SERVFAIL, and FORMERR paths. - Back off 100ms on listener.accept() errors to avoid tight-looping on fd exhaustion. - Replace the hardcoded 127.0.0.1:53 upstream in dot_nxdomain_for_unknown with a bound-but-unresponsive UDP socket owned by the test, making it independent of the host's local resolver. Test now runs in ~220ms (timeout lowered to 200ms) instead of 3s and asserts the question is echoed in the SERVFAIL response. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 16:47:54 +03:00
parent b78cd44c99
commit 7be923e6d2
2 changed files with 76 additions and 34 deletions
--- a/src/ctx.rs
+++ b/src/ctx.rs
@@ -65,21 +65,15 @@ pub struct ServerCtx {
 /// Transport-agnostic DNS resolution. Runs the full pipeline (overrides, blocklist,
 /// cache, upstream, DNSSEC) and returns the serialized response in a buffer.
 /// Callers use `.filled()` to get the response bytes without heap allocation.
+/// Callers are responsible for parsing the incoming buffer into a `DnsPacket`
+/// (and logging parse errors) before calling this function.
 pub async fn resolve_query(
-    mut buffer: BytePacketBuffer,
+    query: DnsPacket,
    src_addr: SocketAddr,
    ctx: &ServerCtx,
 ) -> crate::Result<BytePacketBuffer> {
    let start = Instant::now();

-    let query = match DnsPacket::from_buffer(&mut buffer) {
-        Ok(packet) => packet,
-        Err(e) => {
-            warn!("{} | PARSE ERROR | {}", src_addr, e);
-            return Err(e);
-        }
-    };
-
    let (qname, qtype) = match query.questions.first() {
        Some(q) => (q.name.clone(), q.qtype),
        None => return Err("empty question section".into()),
@@ -347,11 +341,18 @@ pub async fn resolve_query(

 /// Handle a DNS query received over UDP. Thin wrapper around resolve_query.
 pub async fn handle_query(
-    buffer: BytePacketBuffer,
+    mut buffer: BytePacketBuffer,
    src_addr: SocketAddr,
    ctx: &ServerCtx,
 ) -> crate::Result<()> {
-    match resolve_query(buffer, src_addr, ctx).await {
+    let query = match DnsPacket::from_buffer(&mut buffer) {
+        Ok(packet) => packet,
+        Err(e) => {
+            warn!("{} | PARSE ERROR | {}", src_addr, e);
+            return Ok(());
+        }
+    };
+    match resolve_query(query, src_addr, ctx).await {
        Ok(resp_buffer) => {
            ctx.socket.send_to(resp_buffer.filled(), src_addr).await?;
        }