Make saving IP and CNAMEs more defensive

safing · Nov 12, 2024 · f4b96e1 · f4b96e1
1 parent 07acb9b
commit f4b96e1
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/service/firewall/dns.go b/service/firewall/dns.go
@@ -302,11 +302,11 @@ func UpdateIPsAndCNAMEs(q *resolver.Query, rrCache *resolver.RRCache, conn *netw
 			Expires:           rrCache.Expires,
 		}
 
-		// Resolve all CNAMEs in the correct order and add the to the record.
+		// Resolve all CNAMEs in the correct order and add the to the record - up to max 50 layers.
 		domain := q.FQDN
-		for {
+		for range 50 {
 			nextDomain, isCNAME := cnames[domain]
-			if !isCNAME {
+			if !isCNAME || nextDomain == domain {
 				break
 			}
 

diff --git a/service/nameserver/nameserver.go b/service/nameserver/nameserver.go
@@ -224,8 +224,8 @@ func handleRequest(ctx context.Context, w dns.ResponseWriter, request *dns.Msg)
 			}
 
 			// Save the request as open, as we don't know if there will be a connection or not.
-			network.SaveOpenDNSRequest(q, rrCache, conn)
 			firewall.UpdateIPsAndCNAMEs(q, rrCache, conn)
+			network.SaveOpenDNSRequest(q, rrCache, conn)
 
 		case network.VerdictUndeterminable:
 			fallthrough