lib/resolve, modules: NO_ANSWER for not responding to clients

2 files changed, 17 insertions, 0 deletions

diff --git a/modules/policy/README.rst b/modules/policy/README.rst
index 10131625..d8f95d84 100644
--- a/modules/policy/README.rst
+++ b/modules/policy/README.rst
@@ -144,6 +144,17 @@ Following actions stop the policy matching on the query, i.e. other rules are no
 
    Terminate query resolution and return REFUSED to the requestor.
 
+.. py:attribute:: NO_ANSWER
+
+   Terminate query resolution and do not return any answer to the requestor.
+
+   .. warning:: During normal operation, an answer should always be returned.
+      Deliberate query drops are indistinguishable from packet loss and may
+      cause problems as described in :rfc:`8906`. Only use :any:`NO_ANSWER`
+      on very specific occasions, e.g. as a defense mechanism during an attack,
+      and prefer other actions (e.g. :any:`DROP` or :any:`REFUSE`) for normal
+      operation.
+
 .. py:attribute:: TC
 
    Force requestor to use TCP. It sets truncated bit (*TC*) in response to true if the request came through UDP, which will force standard-compliant clients to retry the request over TCP.
diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index f17129bf..55a8de3c 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -823,6 +823,12 @@ function policy.DROP(_, req)
 	return kres.FAIL
 end
 
+function policy.NO_ANSWER(_, req)
+	req.options.NO_ANSWER = true
+	log_policy_action(req, 'NO_ANSWER')
+	return kres.FAIL
+end
+
 function policy.REFUSE(_, req)
 	local answer = answer_clear(req)
 	if answer == nil then return nil end