xref: /freebsd/contrib/unbound/contrib/drop-tld.diff (revision 0eefd307)

diff --git a/daemon/worker.c b/daemon/worker.c
index 263fcdd..f787b70 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1213,6 +1213,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
 		log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
 	}
+
+	if(worker->env.cfg->drop_tld) {
+		int lab = dname_count_labels(qinfo.qname);
+		if (lab == 2) {
+			comm_point_drop_reply(repinfo);
+			verbose(VERB_ALGO, "Dropping one label query.");
+			return 0;
+		}
+	}
 	if(qinfo.qtype == LDNS_RR_TYPE_AXFR ||
 		qinfo.qtype == LDNS_RR_TYPE_IXFR) {
 		verbose(VERB_ALGO, "worker request: refused zone transfer.");
diff --git a/util/config_file.h b/util/config_file.h
index b3ef930..2791541 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -274,6 +274,8 @@ struct config_file {
 	int prefetch_key;
 	/** deny queries of type ANY with an empty answer */
 	int deny_any;
+	/** Drop TLD queries from clients **/
+	int drop_tld;

 	/** chrootdir, if not "" or chroot will be done */
 	char* chrootdir;
diff --git a/util/configlexer.lex b/util/configlexer.lex
index a86ddf5..9bbedbb 100644
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -299,6 +299,7 @@ private-domain{COLON}		{ YDVAR(1, VAR_PRIVATE_DOMAIN) }
 prefetch-key{COLON}		{ YDVAR(1, VAR_PREFETCH_KEY) }
 prefetch{COLON}			{ YDVAR(1, VAR_PREFETCH) }
 deny-any{COLON}			{ YDVAR(1, VAR_DENY_ANY) }
+drop-tld{COLON}			{ YDVAR(1, VAR_DROP_TLD) }
 stub-zone{COLON}		{ YDVAR(0, VAR_STUB_ZONE) }
 name{COLON}			{ YDVAR(1, VAR_NAME) }
 stub-addr{COLON}		{ YDVAR(1, VAR_STUB_ADDR) }
diff --git a/util/configparser.y b/util/configparser.y
index 10227a2..567d68e 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -164,6 +164,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM
 %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
 %token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
+%token VAR_DROP_TLD
 %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
 %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
 %token VAR_TLS_SESSION_TICKET_KEYS
@@ -266,6 +267,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_tls_cert_bundle | server_tls_additional_port | server_low_rtt |
 	server_fast_server_permil | server_fast_server_num  | server_tls_win_cert |
 	server_tcp_connection_limit | server_log_servfail | server_deny_any |
+	server_drop_tld |
 	server_unknown_server_time_limit | server_log_tag_queryreply |
 	server_stream_wait_size | server_tls_ciphers |
 	server_tls_ciphersuites | server_tls_session_ticket_keys
@@ -1466,6 +1468,16 @@ server_deny_any: VAR_DENY_ANY STRING_ARG
 		free($2);
 	}
 	;
+
+server_drop_tld: VAR_DROP_TLD STRING_ARG
+	{
+		OUTYY(("P(server_drop_tld:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->drop_tld = (strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG
 	{
 		OUTYY(("P(server_unwanted_reply_threshold:%s)\n", $2));