Unbreak cloaking plugin

jedisct1 · jedisct1 · commit 68f3ab249cd6 · 2023-02-07T11:03:05.000+01:00
In version 2.1.3, when the cloaking pluging was enabled, a blocked
response was returned for records that were not A/AAAA/PTR, even
with names that were not in the cloaked list.
diff --git a/.ci/ci-test.sh b/.ci/ci-test.sh
@@ -67,6 +67,9 @@ t || dig -p${DNS_PORT} +dnssec www.darpa.mil @127.0.0.1 2>&1 | grep -Fvq 'RRSIG'
 
 section
 t || dig -p${DNS_PORT} +short cloaked.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail
+t || dig -p${DNS_PORT} +short MX cloaked.com @127.0.0.1 | grep -Fq 'locally blocked' || fail
+t || dig -p${DNS_PORT} +short MX example.com @127.0.0.1 | grep -Fvq 'locally blocked' || fail
+t || dig -p${DNS_PORT} NS cloaked.com @127.0.0.1 | grep -Fiq 'gtld-servers.net' || fail
 t || dig -p${DNS_PORT} +short www.cloaked2.com @127.0.0.1 | grep -Eq '1.1.1.1|1.0.0.1' || fail
 t || dig -p${DNS_PORT} +short www.dnscrypt-test @127.0.0.1 | grep -Fq '192.168.100.100' || fail
 t || dig -p${DNS_PORT} a.www.dnscrypt-test @127.0.0.1 | grep -Fq 'NXDOMAIN' || fail
diff --git a/dnscrypt-proxy/plugin_cloak.go b/dnscrypt-proxy/plugin_cloak.go
@@ -136,12 +136,7 @@ func (plugin *PluginCloak) Reload() error {
 
 func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error {
 	question := msg.Question[0]
-	if question.Qclass != dns.ClassINET ||
-		(question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA && question.Qtype != dns.TypePTR) {
-		if question.Qclass != dns.ClassINET || (question.Qtype != dns.TypeNS || question.Qtype == dns.TypeSOA) {
-			pluginsState.action = PluginsActionReject
-			pluginsState.returnCode = PluginsReturnCodeCloak
-		}
+	if question.Qclass != dns.ClassINET || question.Qtype == dns.TypeNS || question.Qtype == dns.TypeSOA {
 		return nil
 	}
 	now := time.Now()
@@ -151,6 +146,12 @@ func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 		plugin.RUnlock()
 		return nil
 	}
+	if question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA && question.Qtype != dns.TypePTR {
+		plugin.RUnlock()
+		pluginsState.action = PluginsActionReject
+		pluginsState.returnCode = PluginsReturnCodeCloak
+		return nil
+	}
 	cloakedName := xcloakedName.(*CloakedName)
 	ttl, expired := plugin.ttl, false
 	if cloakedName.lastUpdate != nil {
