From 861a7fb9c314fe2f9aeba69be08c66800c125a95 Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Sat, 28 Mar 2026 19:15:00 +0200
Subject: [PATCH] fix: return NXDOMAIN for .local queries instead of SERVFAIL

.local is reserved for mDNS (RFC 6762) and cannot be resolved by
upstream DNS servers. Add it to is_special_use_domain() so queries
like _grpc_config.localhost.local get an immediate NXDOMAIN instead
of timing out and returning SERVFAIL.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/ctx.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/ctx.rs b/src/ctx.rs
index 5ecb150..4fb926e 100644
--- a/src/ctx.rs
+++ b/src/ctx.rs
@@ -366,7 +366,11 @@ fn is_special_use_domain(qname: &str) -> bool {
         return true;
     }
     // NAT64 (RFC 8880)
-    qname == "ipv4only.arpa"
+    if qname == "ipv4only.arpa" {
+        return true;
+    }
+    // RFC 6762: .local is reserved for mDNS — never forward to upstream
+    qname == "local" || qname.ends_with(".local")
 }
 
 fn special_use_response(query: &DnsPacket, qname: &str, qtype: QueryType) -> DnsPacket {
-- 
2.34.1