Don't apply NS RPZs to forwarders

PowerDNS · Sep 20, 2024 · 8798773 · 8798773
1 parent 439913b
commit 8798773
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc
@@ -3407,6 +3407,9 @@ bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& n
   */
   if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
     for (auto const& nameserver : nameservers) {
+      if (nameserver.first.empty()) {
+        continue;
+      }
       bool match = dfe.getProcessingPolicy(nameserver.first, d_discardedPolicies, d_appliedPolicy);
       if (match) {
         mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
@@ -5944,7 +5947,7 @@ int SyncRes::doResolveAt(NsSet& nameservers, DNSName auth, bool flawedNSSet, con
             LOG(", ");
           }
           LOG(remoteIP->toString());
-          if (nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) {
+          if (!tns->first.empty() && nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) {
             hitPolicy = true;
           }
         }