[PR #1513] [MERGED] on `REFUSED` response, fall back to other nameservers #2381

New issue

Closed

opened 2026-03-16 08:50:51 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 08:50:51 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/1513
Author: @peterthejohnston
Created: 6/24/2021
Status: ✅ Merged
Merged: 7/4/2021
Merged by: @bluejekyll

Base: main ← Head: fallback-on-refused

📝 Commits (6)

23a4bf3 on refused, fall back to other nameservers
52029ab combine match arms
9959ca6 add integration test
e17a4eb make match exhaustive
2a1201b combine match arms
cde3b31 Merge branch 'main' into fallback-on-refused

📊 Changes

3 files changed (+65 additions, -34 deletions)

View changed files

📝 crates/resolver/src/config.rs (+1 -1)
📝 crates/resolver/src/error.rs (+29 -33)
📝 tests/integration-tests/tests/name_server_pool_tests.rs (+35 -0)

📄 Description

In using trust-dns-resolver as the DNS resolver for Fuchsia, we noticed that there are some authoritative DNS name servers that respond with a REFUSED response when they don't know the domain (e.g., it wasn't on an allowlist of hosts it'd respond to queries about).

We have a mitigation for this to our current version of trust-dns-resolver (0.19.2): https://fuchsia-review.googlesource.com/c/fuchsia/+/545423/17/third_party/rust_crates/vendor/trust-dns-resolver/src/name_server/name_server.rs

I'd like to contribute a similar fix here, if you think it makes sense. The intention of this patch is essentially to add REFUSED to the list of "retryable" errors—errors that should not lead to a terminal query failure. I looked into the precedent for this and found this issue where SERVFAIL being a terminal error led to failed queries where the resolver should have continued on to other name servers. I also saw this TODO which suggests it might be appropriate to consider continuing a query after a REFUSED response.

I have a couple of questions:

Do you have any thoughts about this approach?
If you think it makes sense to move forward with this PR, where can I add tests for this? Perhaps in name_server_pool_tests?

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/1513 **Author:** [@peterthejohnston](https://github.com/peterthejohnston) **Created:** 6/24/2021 **Status:** ✅ Merged **Merged:** 7/4/2021 **Merged by:** [@bluejekyll](https://github.com/bluejekyll) **Base:** `main` ← **Head:** `fallback-on-refused` --- ### 📝 Commits (6) - [`23a4bf3`](https://github.com/hickory-dns/hickory-dns/commit/23a4bf3652024b55bc97cdc052008c4e1702c39a) on refused, fall back to other nameservers - [`52029ab`](https://github.com/hickory-dns/hickory-dns/commit/52029abf34a582d30fc7ac930c2333612b0ff1be) combine match arms - [`9959ca6`](https://github.com/hickory-dns/hickory-dns/commit/9959ca6fc7c49d91626e04ba6b481bfcb85aa34d) add integration test - [`e17a4eb`](https://github.com/hickory-dns/hickory-dns/commit/e17a4eb483284f5b44c1a6c26c61e8c0ee67a977) make match exhaustive - [`2a1201b`](https://github.com/hickory-dns/hickory-dns/commit/2a1201bf2b5019249dcb714de89d34592f96ff37) combine match arms - [`cde3b31`](https://github.com/hickory-dns/hickory-dns/commit/cde3b310852827ae9ece7d5720c27663d4945b4d) Merge branch 'main' into fallback-on-refused ### 📊 Changes **3 files changed** (+65 additions, -34 deletions) <details> <summary>View changed files</summary> 📝 `crates/resolver/src/config.rs` (+1 -1) 📝 `crates/resolver/src/error.rs` (+29 -33) 📝 `tests/integration-tests/tests/name_server_pool_tests.rs` (+35 -0) </details> ### 📄 Description In using trust-dns-resolver as the DNS resolver for Fuchsia, we noticed that there are some authoritative DNS name servers that respond with a `REFUSED` response when they don't know the domain (e.g., it wasn't on an allowlist of hosts it'd respond to queries about). We have a mitigation for this to our current version of trust-dns-resolver (0.19.2): https://fuchsia-review.googlesource.com/c/fuchsia/+/545423/17/third_party/rust_crates/vendor/trust-dns-resolver/src/name_server/name_server.rs I'd like to contribute a similar fix here, if you think it makes sense. The intention of this patch is essentially to add `REFUSED` to the list of "retryable" errors—errors that should not lead to a terminal query failure. I looked into the precedent for this and found [this issue](https://github.com/bluejekyll/trust-dns/issues/606) where `SERVFAIL` being a terminal error [led to failed queries](https://github.com/bluejekyll/trust-dns/issues/606#issuecomment-437379564) where the resolver should have continued on to other name servers. I also saw [this TODO](https://github.com/bluejekyll/trust-dns/blob/c9523a86958345d54ff0eeb809194470cd16cae6/crates/resolver/src/name_server/name_server.rs#L144) which suggests it might be appropriate to consider continuing a query after a `REFUSED` response. I have a couple of questions: - Do you have any thoughts about this approach? - If you think it makes sense to move forward with this PR, where can I add tests for this? Perhaps in [name_server_pool_tests](https://github.com/bluejekyll/trust-dns/blob/c658222274090901c810742a1026701c1c094416/tests/integration-tests/tests/name_server_pool_tests.rs)? --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>