fix(auto/file): return REFUSED when no next plugin is available (#7381)

plugin/auto/auto.go

@@ -51,6 +51,10 @@ func (a Auto) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (i
 	// Now the real zone.
 	zone = plugin.Zones(a.Zones.Names()).Matches(qname)
 	if zone == "" {
+		// If no next plugin is configured, it's more correct to return REFUSED as auto acts as an authoritative server
+		if a.Next == nil {
+			return dns.RcodeRefused, nil
+		}
 		return plugin.NextOrFailure(a.Name(), a.Next, ctx, w, r)
 	}
 

plugin/auto/auto_test.go

@@ -109,6 +109,7 @@ func TestAutoServeDNSZoneMatching(t *testing.T) {
 		names        []string
 		qname        string
 		hasZone      bool
+		shouldRefuse bool
 	}{
 		{
 			name:         "exact zone match",
@@ -116,6 +117,7 @@ func TestAutoServeDNSZoneMatching(t *testing.T) {
 			names:        []string{"example.org."},
 			qname:        "test.example.org.",
 			hasZone:      true,
+			shouldRefuse: false,
 		},
 		{
 			name:         "subdomain zone match",
@@ -123,6 +125,7 @@ func TestAutoServeDNSZoneMatching(t *testing.T) {
 			names:        []string{"example.org."},
 			qname:        "sub.test.example.org.",
 			hasZone:      true,
+			shouldRefuse: false,
 		},
 		{
 			name:         "no origin match",
@@ -130,6 +133,7 @@ func TestAutoServeDNSZoneMatching(t *testing.T) {
 			names:        []string{"example.org."},
 			qname:        "test.example.org.",
 			hasZone:      false,
+			shouldRefuse: false,
 		},
 		{
 			name:         "origin match but no name match",
@@ -137,6 +141,7 @@ func TestAutoServeDNSZoneMatching(t *testing.T) {
 			names:        []string{"other.org."},
 			qname:        "test.example.org.",
 			hasZone:      false,
+			shouldRefuse: true,
 		},
 	}
 
@@ -163,14 +168,18 @@ func TestAutoServeDNSZoneMatching(t *testing.T) {
 			rec := dnstest.NewRecorder(&test.ResponseWriter{})
 			ctx := context.Background()
 
-			_, err := a.ServeDNS(ctx, rec, m)
+			code, err := a.ServeDNS(ctx, rec, m)
 
 			if tt.hasZone {
 				if err != nil {
 					t.Errorf("Expected no error for zone match, got: %v", err)
 				}
 			} else {
-				if err == nil {
+				if tt.shouldRefuse {
+					if code != dns.RcodeRefused {
+						t.Errorf("Expected code %d, got %d", dns.RcodeRefused, code)
+					}
+				} else if err == nil {
 					t.Errorf("Expected error for no zone match, got nil")
 				}
 			}

plugin/file/file.go

@@ -42,6 +42,10 @@ func (f File) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (i
 	// TODO(miek): match the qname better in the map
 	zone := plugin.Zones(f.Zones.Names).Matches(qname)
 	if zone == "" {
+		// If no next plugin is configured, it's more correct to return REFUSED as file acts as an authoritative server
+		if f.Next == nil {
+			return dns.RcodeRefused, nil
+		}
 		return plugin.NextOrFailure(f.Name(), f.Next, ctx, w, r)
 	}
 

test/auto_test.go

@@ -32,8 +32,8 @@ func TestAuto(t *testing.T) {
 	if err != nil {
 		t.Fatal("Expected to receive reply, but didn't")
 	}
-	if resp.Rcode != dns.RcodeServerFailure {
+	if resp.Rcode != dns.RcodeRefused {
-		t.Fatalf("Expected reply to be a SERVFAIL, got %d", resp.Rcode)
+		t.Fatalf("Expected reply to be REFUSED, got %d", resp.Rcode)
 	}
 
 	// Write db.example.org to get example.org.
@@ -59,8 +59,8 @@ func TestAuto(t *testing.T) {
 	if err != nil {
 		t.Fatal("Expected to receive reply, but didn't")
 	}
-	if resp.Rcode != dns.RcodeServerFailure {
+	if resp.Rcode != dns.RcodeRefused {
-		t.Fatalf("Expected reply to be a SERVFAIL, got %d", resp.Rcode)
+		t.Fatalf("Expected reply to be REFUSED, got %d", resp.Rcode)
 	}
 }
 
@@ -93,8 +93,8 @@ func TestAutoNonExistentZone(t *testing.T) {
 	if err != nil {
 		t.Fatal("Expected to receive reply, but didn't")
 	}
-	if resp.Rcode != dns.RcodeServerFailure {
+	if resp.Rcode != dns.RcodeRefused {
-		t.Fatalf("Expected reply to be a SERVFAIL, got %d", resp.Rcode)
+		t.Fatalf("Expected reply to be REFUSED, got %d", resp.Rcode)
 	}
 }