From bdf58b47c3ef599a188c7c19a30d98de6d88da23 Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Wed, 27 Sep 2023 19:39:52 +0100
Subject: [PATCH] resolved: never respond to .alt pseudo-TLD.

From RFC 9476:

Because names beneath .alt are in an alternative namespace, they have no
significance in the regular DNS context. DNS stub and recursive
resolvers do not need to look them up in the DNS context.

See: https://datatracker.ietf.org/doc/html/rfc9476#name-the-alt-namespace
---
 src/shared/dns-domain.c    | 4 ++++
 test/units/testsuite-75.sh | 1 +
 2 files changed, 5 insertions(+)

diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
index 7a2c5d60f4..60560654bd 100644
--- a/src/shared/dns-domain.c
+++ b/src/shared/dns-domain.c
@@ -1413,5 +1413,9 @@ bool dns_name_dont_resolve(const char *name) {
         if (dns_name_endswith(name, "invalid") > 0)
                 return true;
 
+        /* Never respond to some of the domains listed in RFC9476 */
+        if (dns_name_endswith(name, "alt") > 0)
+                return true;
+
         return false;
 }
diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh
index dbcb53d72b..e039e4ebc2 100755
--- a/test/units/testsuite-75.sh
+++ b/test/units/testsuite-75.sh
@@ -317,6 +317,7 @@ FILTERED_NAMES=(
     "255.255.255.255.in-addr.arpa"
     "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
     "hello.invalid"
+    "hello.alt"
 )
 
 for name in "${FILTERED_NAMES[@]}"; do