NXDOMAIN responses from servers forwarded to are not being honored

[DL444]

Context

I'm using the forwarding feature to delegate all DNS queries for a dedicated internal-use domain (that I registered, but for this discussion let's say it's example.com) to a group of internal DNS servers. All other queries are being resolved by dnscrypt-proxy over the public Internet.

Problem

Since version 2.1.6, NXDOMAIN responses from internal DNS servers to queries for non-existent hosts and subdomains are no longer being honored by dnscrypt-proxy. The names will then be resolved over the Internet, leaking the queries and potentially yielding different results.

Reproduction

1. Prepare three test machines, all connected to the same network:
   • One for dnscrypt-proxy (10.0.0.1)
   • One for the internal DNS server to forward to (10.0.0.2)
   • One for the client (10.0.0.3)
2. Configure dnscrypt-proxy as follows (omitted settings are left as default):

# dnscrypt-proxy.toml
listen_addresses = ['[::]:53']
forwarding_rules = 'forwarding-rules.txt'

# forwarding-rules.txt
example.com 10.0.0.2

3. Configure the internal DNS server for zone example.com and define no records.
4. Configure the client to send DNS queries to dnscrypt-proxy (10.0.0.1).
5. Optimally, use Wireshark on the client to capture DNS responses returned by dnscrypt-proxy.
6. Use nslookup to query for a hostname that exists on the Internet, but not on the internal DNS server. For example, A www.example.com.
7. Observe that for versions up to and including 2.1.5, dnscrypt-proxy returns NXDOMAIN response as expected. But since 2.1.6, dnscrypt-proxy instead returns host IPs resolved from the Internet.

Analysis

The issue was introduced by eda26b4 where $DHCP and $BOOTSTRAP keywords were added. Specifically at plugin_forward.go:327:

if len(sequence) > 0 {
    switch respMsg.Rcode {
    case dns.RcodeNameError, dns.RcodeRefused, dns.RcodeNotAuth:
        continue
    }
}

dns.RcodeNameError was designated as one of the cases where the responses from forwarded DNS servers are discarded. In my opinion NXDOMAIN responses should NOT be discarded since they represent deterministic and authoritative answers.

Additionally, I believe the entire concept of post-factum resolution of queries matching forwarding rules over the Internet is questionable. It leaks internal queries to the external world, and breaks the documented promise that "suffix-matching is always done".

Proposed Fix

Minimally:

  if len(sequence) > 0 {
      switch respMsg.Rcode {
-     case dns.RcodeNameError, dns.RcodeRefused, dns.RcodeNotAuth:
+     case dns.RcodeRefused, dns.RcodeNotAuth:
          continue
      }
  }

Or more systematically, prevent queries matching forwarding rules from being subsequently resolved over the Internet. Instead, return whatever responses or errors the servers forwarded to might yield.

[jedisct1]

Fixed in a143fb0