pending-dns 1.2.5 → 1.4.0

package/lib/dns-handler.js

@@ -3,24 +3,32 @@
 const config = require('wild-config');
 const dns2 = require('dns2');
 const punycode = require('punycode/');
-const { zoneStore } = require('./zone-store');
+const { zoneStore, tlsaFromValue } = require('./zone-store');
 const cachedResolver = require('./cached-resolver');
 const ipaddr = require('ipaddr.js');
 const logger = require('./logger').child({ component: 'dns-handler' });
 const { normalizeDomain } = require('./tools');
-const { v4: uuidv4 } = require('uuid');
+const { randomUUID } = require('crypto');
+const wire = require('./dnssec-wire');
+const dnssec = require('./dnssec');
 
-// Split long string values into character chunks
+// Split a TXT value into DNS character-strings (max 255 bytes each).
+// Always returns an array, which is what the dns2 packet builder expects.
 const formatTXTData = data => {
     data = (data || '').toString();
-    if (data.length < 128) {
-        return data;
+    if (!data.length) {
+        return [''];
     }
-    return Array.from(data.match(/.{1,84}/g));
+    return Array.from(data.match(/.{1,255}/g));
 };
 
+// dns2's Packet.TYPE is missing several DNSSEC/DANE types (TLSA, RRSIG, NSEC,
+// DS, ...). Merge those in so we can recognize such queries and serialize the
+// answers via dns2's raw-RDATA fallback.
+const typeToNumber = Object.assign({}, wire.EXTRA_TYPES, dns2.Packet.TYPE);
+
 // Helps to convert DNS type integer into a string (0x01 -> 'A')
-const reversedTypes = new Map(Object.keys(dns2.Packet.TYPE).map(key => [dns2.Packet.TYPE[key], key]));
+const reversedTypes = new Map(Object.keys(typeToNumber).map(key => [typeToNumber[key], key]));
 
 const shuffle = array => {
     let currentIndex = array.length,
@@ -57,6 +65,30 @@ const filterUnhealthy = list => {
     return list.filter(entry => !entry.health || entry.health.status === true);
 };
 
+// SOA MNAME (primary) - first configured nameserver, with safe fallbacks so an
+// empty [[ns]] config cannot throw on the synthesis / signing paths.
+const soaPrimary = () => (config.ns && config.ns.length && config.ns[0].domain) || config.soa.admin || 'localhost';
+
+// Single SOA record builder shared by the processQuestion synthesis and the
+// DNSSEC authority-section record, so the two cannot drift apart. `extra` lets
+// the authority variant set a numeric type/class/ttl; the synthesized answer
+// keeps the string type and is normalized later.
+const buildSoaRecord = (name, extra) =>
+    Object.assign(
+        {
+            name,
+            type: 'SOA',
+            primary: soaPrimary(),
+            admin: config.soa.admin,
+            serial: config.soa.serial,
+            refresh: config.soa.refresh,
+            retry: config.soa.retry,
+            expiration: config.soa.expiration,
+            minimum: config.soa.minimum
+        },
+        extra || {}
+    );
+
 const processQuestion = async (response, question, domain, depth) => {
     depth = depth || 0;
     domain = normalizeDomain(domain || question.name);
@@ -91,7 +123,7 @@ const processQuestion = async (response, question, domain, depth) => {
                 if (records && records.length > 1) {
                     switch (type) {
                         case 'A':
-                        case 'AAAAA':
+                        case 'AAAA':
                             // randomize A/AAAA records
                             records = shuffle(filterUnhealthy(records));
                             break;
@@ -110,17 +142,32 @@ const processQuestion = async (response, question, domain, depth) => {
 
     if (!dnsEntries || !dnsEntries.length) {
         if (questionTypeStr === 'NS') {
-            for (let ns of config.ns) {
-                let entry = {
-                    name: domain,
-                    type: 'NS',
-                    ns: ns.domain
-                };
-                response.answers.push(entry);
+            // Only synthesize fallback NS at the zone apex (or for names outside any
+            // served zone, preserving the legacy answer-for-anything behavior). A
+            // below-apex NS-without-SOA is the RFC 4034 4.1.3 insecure-delegation
+            // signal; served unsigned it makes a DO query bogus, so leave it empty
+            // there and let signResponse turn it into a signed NODATA (SOA+NSEC).
+            // This intentionally changes the old answer-for-anything behavior for
+            // ALL clients (not just DO ones): a record-less below-apex NS query now
+            // returns empty NOERROR rather than the configured nameservers. That is
+            // the DNSSEC-correct choice and is kept uniform to avoid DO/non-DO skew.
+            // resolveDomainZone returns the Unicode form, directly comparable to the
+            // already-normalized `domain`. The lookup is only reached on a
+            // record-less NS query, so the extra Redis walk is rare.
+            let zone = await zoneStore.resolveDomainZone(domain);
+            if (!zone || zone === domain) {
+                for (let ns of config.ns || []) {
+                    let entry = {
+                        name: domain,
+                        type: 'NS',
+                        ns: ns.domain
+                    };
+                    response.answers.push(entry);
+                }
             }
         }
 
-        for (let ns of config.ns) {
+        for (let ns of config.ns || []) {
             if (questionTypeStr === 'A' && domain === ns.domain) {
                 let entry = {
                     name: domain,
@@ -150,18 +197,7 @@ const processQuestion = async (response, question, domain, depth) => {
         }
 
         if (questionTypeStr === 'SOA') {
-            let entry = {
-                name: domain,
-                type: 'SOA',
-                primary: config.ns[0].domain,
-                admin: config.soa.admin,
-                serial: config.soa.serial,
-                refresh: config.soa.refresh,
-                retry: config.soa.retry,
-                expiration: config.soa.expiration,
-                minimum: config.soa.minimum
-            };
-            response.answers.push(entry);
+            response.answers.push(buildSoaRecord(domain));
         }
 
         // Chaos responses
@@ -275,7 +311,8 @@ const processQuestion = async (response, question, domain, depth) => {
                 try {
                     entry.address = ipaddr.parse(value[0]).toNormalizedString();
                 } catch (err) {
-                    return;
+                    // skip just this malformed record, keep processing the rest
+                    continue;
                 }
                 break;
 
@@ -338,6 +375,17 @@ const processQuestion = async (response, question, domain, depth) => {
                 entry.flags = (value[2] && Number(value[2])) || 0;
                 break;
 
+            case 'TLSA':
+                // dns2 has no TLSA encoder; emit pre-built raw RDATA (RFC 6698).
+                try {
+                    entry.data = wire.encodeTLSARdata(tlsaFromValue(value));
+                } catch (err) {
+                    // skip a malformed stored TLSA record, keep processing the rest
+                    logger.error({ msg: 'Skipping malformed TLSA record', id: response._id, domain: dnsEntry.domain, err });
+                    continue;
+                }
+                break;
+
             default:
                 // skip unknown types
                 entry = false;
@@ -348,6 +396,11 @@ const processQuestion = async (response, question, domain, depth) => {
             continue;
         }
 
+        if (dnsEntry.wildcard) {
+            // carried for DNSSEC signing (RRSIG labels); ignored by the dns2 encoder
+            entry.wildcard = dnsEntry.wildcard;
+        }
+
         response.answers.push(entry);
 
         if (depth < 10 && dnsEntry.type === 'CNAME' && questionTypeStr !== 'CNAME') {
@@ -357,10 +410,259 @@ const processQuestion = async (response, question, domain, depth) => {
     }
 };
 
-const dnsHandler = async request => {
+// --- DNSSEC online signing -------------------------------------------------
+
+const numericType = t => (typeof t === 'number' ? t : typeToNumber[t]);
+
+// NSEC type bitmap (numeric types) for a name. `excludeTypeNum` (optional) is the
+// numeric type this proof denies and must never be listed (see the final filter).
+// The apex additionally serves NS/SOA/DNSKEY; RRSIG+NSEC always cover a signed name.
+const bitmapTypeNums = (existing, isApex, excludeTypeNum) => {
+    const hosts = (config.public && config.public.hosts) || {};
+    const names = new Set();
+    for (const type of existing) {
+        if (type === 'URL') {
+            // A URL record answers A/AAAA only from config.public.hosts. List a
+            // family only when it is actually configured (hence answerable):
+            // advertising AAAA while public.hosts.AAAA is empty would contradict
+            // the NODATA the server returns for AAAA at a URL name and make a
+            // validating resolver treat the answer as bogus (SERVFAIL).
+            if (hosts.A && hosts.A.length) {
+                names.add('A');
+            }
+            if (hosts.AAAA && hosts.AAAA.length) {
+                names.add('AAAA');
+            }
+        } else if (type === 'ANAME') {
+            // ANAME answerable families are dynamic (live resolution of the target),
+            // so list both; excludeTypeNum drops whichever one this query proved
+            // absent so the proof can never contradict the answer.
+            names.add('A');
+            names.add('AAAA');
+        } else {
+            // Stored types pass through, including a real below-apex NS: that is a
+            // genuine delegation and is correctly listed. Only the *synthesized*
+            // apex NS is added in the isApex block below.
+            names.add(type);
+        }
+    }
+    // The server synthesizes CAA and SOA for ANY name, so every signed name
+    // effectively has them; list them so aggressive NSEC (RFC 8198) does not
+    // synthesize a NODATA that suppresses those answers. SOA alone (without NS)
+    // does not imply a zone cut, so it is safe at non-apex names. Synthesized NS is
+    // withheld below the apex on purpose: an NS-without-SOA is the RFC 4034 4.1.3
+    // insecure-delegation signal and would mislead a validator into treating the
+    // name as a delegation point.
+    names.add('SOA');
+    names.add('CAA');
+    names.add('RRSIG');
+    names.add('NSEC');
+    if (isApex) {
+        names.add('NS');
+        names.add('DNSKEY');
+    }
+    // Never list the type this proof denies. In the NODATA branch the queried type
+    // produced no answer; in the wildcard branch the answer came from the wildcard
+    // owner (the RRSIG Labels field signals the expansion). Listing it at the exact
+    // name would make the proof self-contradictory and validators would reject it.
+    return [...names].map(numericType).filter(n => typeof n === 'number' && n !== excludeTypeNum);
+};
+
+const soaAuthorityRecord = zone => buildSoaRecord(zone, { type: dns2.Packet.TYPE.SOA, class: dns2.Packet.CLASS.IN, ttl: config.soa.minimum });
+
+// Compact "black lie" NSEC: owner = the queried name, next name sorts directly
+// after it (\000.<name>) so the record covers only this name and cannot be used
+// to deny any other (safe for aggressive NSEC caching).
+const nsecRecord = (owner, typeNums, ttl) => ({
+    name: owner,
+    type: wire.TYPE.NSEC,
+    class: dns2.Packet.CLASS.IN,
+    ttl,
+    data: wire.encodeNSECRdata(`\x00.${owner}`, typeNums)
+});
+
+// A question is positively answered when the answer section holds a record of
+// the queried type (or a CNAME) AT THE QUERIED NAME. Scoping to `qname` keeps a
+// multi-question packet from letting one question's answer mask another's
+// missing answer (which would suppress the latter's denial proof).
+const hasPositiveAnswer = (response, question, qname) =>
+    // For ANY, "positive" means any (non-RRSIG) record exists at the name - there is
+    // no record whose type literally equals ANY. With no record present the query is
+    // a true NODATA and must still get a signed denial, so do not short-circuit.
+    question.type === dns2.Packet.TYPE.ANY
+        ? response.answers.some(rr => rr.name === qname && rr.type !== wire.TYPE.RRSIG)
+        : response.answers.some(rr => rr.name === qname && (rr.type === question.type || rr.type === dns2.Packet.TYPE.CNAME));
+
+// Sign every in-zone RRset in a section, appending the RRSIG records. Returns
+// true if anything was signed.
+const signSection = async (section, zoneFor, signerFor) => {
+    const groups = new Map();
+    for (let rr of section) {
+        if (rr.type === wire.TYPE.RRSIG) {
+            continue; // never sign RRSIGs
+        }
+        let key = `${rr.name}\x00${rr.type}`;
+        if (!groups.has(key)) {
+            groups.set(key, []);
+        }
+        groups.get(key).push(rr);
+    }
+
+    let rrsigs = [];
+    for (let rrs of groups.values()) {
+        let owner = rrs[0].name;
+        let zone = await zoneFor(owner); // A-label form (canonicalized in zoneFor)
+        if (!zone) {
+            continue;
+        }
+        // Never sign a delegation NS RRset: an NS below the apex marks a zone cut
+        // and is non-authoritative referral data the parent must not sign
+        // (RFC 4035 2.2). Apex NS (owner === zone) is authoritative and is signed.
+        if (rrs[0].type === wire.TYPE.NS && owner !== zone) {
+            continue;
+        }
+        let signer = await signerFor(zone);
+        if (!signer) {
+            continue;
+        }
+        // For a wildcard expansion the signature is computed over the wildcard
+        // owner (`*.zone`, canonical A-label form), not the expanded wire name, so
+        // a validator can reconstruct it (RFC 4035 5.3.2). signRRset returns one
+        // RRSIG per signing key (one per algorithm in the zone).
+        let wildcard = rrs.find(rr => rr.wildcard);
+        let signingOwner = wildcard ? punycode.toASCII(wildcard.wildcard) : owner;
+        rrsigs.push(...dnssec.signRRset(signer, owner, signingOwner, rrs[0].type, rrs[0].ttl, rrs));
+    }
+
+    for (let sig of rrsigs) {
+        section.push(sig);
+    }
+    return rrsigs.length > 0;
+};
+
+// Add DNSKEY answers, denial-of-existence proofs, and RRSIGs to a response that
+// is already normalized. Only invoked when the client set the DO bit.
+const signResponse = async (request, response) => {
+    // NSEC / negative-cache TTL tracks the SOA MINIMUM so the denial proof and
+    // the negative answer expire together in caches (RFC 2308). typeof guard so a
+    // configured SOA minimum of 0 is honored rather than falling back to 300.
+    const soaMinimum = config.soa && config.soa.minimum;
+    const nsecTtl = typeof soaMinimum === 'number' ? soaMinimum : 300;
+
+    // Emit at most one SOA per zone and one NSEC per owner across all questions: a
+    // multi-question packet must not produce duplicate - or, in the wildcard case,
+    // contradictory - denial records that signSection would then group and sign as
+    // one inconsistent RRset. First-wins is correct: an owner has exactly one NSEC
+    // RRset, and either question's bitmap is a valid black-lie for that owner (do
+    // not merge bitmaps - folding a wildcard-answered type back in would make the
+    // wildcard proof bogus).
+    //
+    // Residual (intentional, do not "fix"): with QDCOUNT >= 2 for the same owner,
+    // only the first question's denied type is excluded from the shared NSEC, so a
+    // second same-owner NODATA of a different type could leave that type listed.
+    // Multi-question packets are effectively never sent in practice, and the
+    // single-question path (the norm) is fully covered by the excludeTypeNum below.
+    const soaDone = new Set();
+    const nsecDone = new Set();
+    const addSoaOnce = zone => {
+        if (!soaDone.has(zone)) {
+            soaDone.add(zone);
+            response.authorities.push(soaAuthorityRecord(zone));
+        }
+    };
+    const pushNsec = (owner, types, isApex, excludeTypeNum) => {
+        if (nsecDone.has(owner)) {
+            return;
+        }
+        nsecDone.add(owner);
+        response.authorities.push(nsecRecord(owner, bitmapTypeNums(types, isApex, excludeTypeNum), nsecTtl));
+    };
+
+    // Memoize the two per-zone lookups across the question loop and both
+    // signing passes: resolveDomainZone walks the label hierarchy (several
+    // Redis round-trips) and getSigner reads + parses the zone keys.
+    const zoneCache = new Map();
+    const zoneFor = async name => {
+        if (!zoneCache.has(name)) {
+            let zone = await zoneStore.resolveDomainZone(name);
+            // Canonicalize to the A-label form once here. resolveDomainZone returns
+            // the Unicode form (lib/certs.js relies on that), but every DNSSEC
+            // consumer - the apex test, the SOA/signer name, the signerFor cache
+            // key - needs punycode, so normalize at the cache boundary.
+            zoneCache.set(name, zone ? punycode.toASCII(zone) : zone);
+        }
+        return zoneCache.get(name);
+    };
+
+    const signerCache = new Map();
+    const signerFor = async zone => {
+        if (!signerCache.has(zone)) {
+            signerCache.set(zone, await dnssec.getSigner(zone));
+        }
+        return signerCache.get(zone);
+    };
+
+    for (let question of request.questions) {
+        let qname = punycode.toASCII(normalizeDomain(question.name));
+        let zone = await zoneFor(qname); // A-label form (canonicalized in zoneFor)
+        if (!zone) {
+            continue;
+        }
+        let signer = await signerFor(zone);
+        if (!signer) {
+            continue;
+        }
+
+        // DNSKEY at the apex: serve and self-sign the key set. Records arrive
+        // ready to sign; only the post-normalization fields need finishing.
+        // By design DNSKEY answers are produced only here, on the DO path: this is
+        // an online signer, so a non-DO client gets the same empty NOERROR it would
+        // for any signing-only type (a validator always sets DO before asking).
+        if (question.type === wire.TYPE.DNSKEY && qname === zone) {
+            for (let rr of dnssec.buildDnskeyRecords(signer)) {
+                rr.type = wire.TYPE.DNSKEY;
+                rr.name = punycode.toASCII(rr.name);
+                response.answers.push(rr);
+            }
+        }
+
+        let wildcardAnswer = response.answers.find(rr => rr.wildcard && rr.name === qname);
+
+        if (!hasPositiveAnswer(response, question, qname)) {
+            // NODATA, always NOERROR ("black lies"). Because the server
+            // synthesizes CAA/NS/SOA for every name, no name is truly nonexistent,
+            // so NXDOMAIN would be incorrect; prove the absence of the queried
+            // type with SOA + a compact NSEC at the queried name. Below the apex,
+            // fold in the types a single-level wildcard could answer so an RFC 8198
+            // aggressive-NSEC resolver cannot cache this NSEC and synthesize a
+            // NODATA that suppresses the wildcard.
+            addSoaOnce(zone);
+            pushNsec(qname, await zoneStore.existingTypes(qname, qname !== zone), qname === zone, question.type);
+        } else if (wildcardAnswer) {
+            // Wildcard expansion: prove the exact name had no direct match. This
+            // NSEC MUST list only the exact-name types, never the wildcard-supplied
+            // type - the RRSIG Labels field signals the expansion, and listing the
+            // answered type here would make the wildcard proof bogus. Residual
+            // (inherent to compact black-lies online signing): an aggressive-NSEC
+            // resolver caching this NSEC may suppress a later same-name/same-type
+            // query; the minimally-covering next-name (\x00.<owner>) bounds it to
+            // this exact name. Matches Cloudflare/Knot/PowerDNS online signers.
+            pushNsec(qname, await zoneStore.existingTypes(qname), false, question.type);
+        }
+    }
+
+    await signSection(response.answers, zoneFor, signerFor);
+    await signSection(response.authorities, zoneFor, signerFor);
+
+    // The AD bit is intentionally not set: it is a validating-resolver signal
+    // (RFC 6840 5.7), not something an authoritative server asserts.
+};
+
+const dnsHandler = async (request, edns) => {
+    edns = edns || { hasOpt: false, doFlag: false };
     let startTime = Date.now();
     const response = new dns2.Packet(request);
-    request._id = response._id = uuidv4();
+    request._id = response._id = randomUUID();
 
     response.header.qr = 1;
     response.header.aa = 1;
@@ -393,14 +695,42 @@ const dnsHandler = async request => {
     // normalize answers for the DNS library
     for (let responseType of [response.answers, response.authorities]) {
         responseType.forEach(answer => {
-            answer.type = dns2.Packet.TYPE[answer.type];
+            // numericType (via typeToNumber) also covers TLSA/RRSIG/NSEC/DS, which
+            // dns2.Packet.TYPE does not know about and would normalize to undefined.
+            answer.type = numericType(answer.type);
             answer.class = typeof answer.class === 'number' ? answer.class : dns2.Packet.CLASS.IN;
             answer.name = punycode.toASCII(answer.name);
             answer.ttl = typeof answer.ttl === 'number' && answer.ttl >= 0 ? answer.ttl : config.dns.ttl;
         });
     }
 
+    // DNSSEC: only when signing is globally enabled, the client signalled
+    // support (DO bit), and the zone is signed (the per-zone gate is in
+    // getSigner). Clients that do not set DO get unsigned answers. (Non-EDNS UDP
+    // responses over 512 bytes are truncated with TC=1 per RFC 1035 - see
+    // finalizeResponse in dns-server.js - so they are not byte-identical to the
+    // pre-DNSSEC server for large answers.)
+    if (edns.doFlag && config.dnssec && config.dnssec.enabled) {
+        // Never let a signing failure drop the whole response: dns-server's send
+        // error path returns nothing, so an uncaught throw here would time the
+        // client out. On error, restore the pre-signing (unsigned but consistent)
+        // sections and return them - a validator treats the unsigned reply as
+        // bogus/insecure, which is strictly better than no answer at all.
+        const savedAnswers = response.answers.slice();
+        const savedAuthorities = response.authorities.slice();
+        try {
+            await signResponse(request, response);
+        } catch (err) {
+            logger.error({ msg: 'Failed to sign DNS response', id: request._id, err });
+            response.answers = savedAnswers;
+            response.authorities = savedAuthorities;
+        }
+    }
+
     return response;
 };
 
 module.exports = dnsHandler;
+
+// Exposed for unit testing
+module.exports.testables = { formatTXTData, shuffle, filterUnhealthy, reversedTypes, processQuestion, signResponse, bitmapTypeNums };

package/lib/dns-server.js

@@ -7,68 +7,145 @@ const logger = require('./logger').child({ component: 'dns-server' });
 const { createDNSTcpServer } = require('./dns-tcp-server');
 const { createDNSUdpServer } = require('./dns-udp-server');
 
-const SUSPENDED_TYPES = new Set([
-    0x29 // EDNS is supported by the dns module
-]);
+const EDNS = dns2.Packet.TYPE.EDNS; // 0x29 / 41
 
-const SUPPORTED_TYPES = new Set(
-    Object.keys(dns2.Packet.TYPE)
-        .map(key => dns2.Packet.TYPE[key])
-        .filter(val => typeof val === 'number' && !SUSPENDED_TYPES.has(val))
-);
+// EDNS UDP payload size bounds. Anything a requestor advertises is clamped into
+// this range; the floor is the pre-EDNS 512 minimum.
+const MIN_UDP_PAYLOAD = 512;
+const MAX_UDP_PAYLOAD = 4096;
+
+const ourUdpPayloadSize = () => (config.dnssec && config.dnssec.udpPayloadSize) || 1232;
+
+// Extract the EDNS context from a request: whether an OPT was present, the DO
+// (DNSSEC OK) bit, and the requestor's advertised UDP payload size. dns2 has
+// already decoded doFlag and stored the payload size in `class`.
+const parseEdns = request => {
+    const opt = request.additionals && request.additionals.find(record => record && record.type === EDNS);
+    return {
+        hasOpt: !!opt,
+        doFlag: !!(opt && opt.doFlag),
+        udpPayloadSize: opt ? opt.class : MIN_UDP_PAYLOAD
+    };
+};
+
+const buildOpt = doFlag =>
+    // eslint-disable-next-line new-cap
+    dns2.Packet.Resource.EDNS([], {
+        udpPayloadSize: ourUdpPayloadSize(),
+        doFlag,
+        version: 0
+    });
+
+// The additional section we emit: our own OPT for EDNS queries, nothing
+// otherwise (responses to EDNS queries must carry an OPT - RFC 6891).
+const optSection = edns => (edns.hasOpt ? [buildOpt(edns.doFlag)] : []);
+
+// Strip a packet to header + question + OPT and set TC, so the resolver retries
+// over TCP. A partial answer would be a protocol error.
+const truncate = (packet, edns) => {
+    packet.header.tc = 1;
+    packet.answers = [];
+    packet.authorities = [];
+    packet.additionals = optSection(edns);
+    return packet;
+};
+
+// Finalize a response before sending: replace the additional section with our
+// own OPT, and for UDP truncate to the negotiated size. Returns a Buffer
+// (already serialized) or a Packet; both are accepted by send.
+const finalizeResponse = (response, edns, proto) => {
+    // The response object is the same instance as the request (dns2.Packet
+    // returns its argument), so the inbound OPT and any request additionals
+    // leak in here - replace the section outright rather than appending.
+    response.additionals = optSection(edns);
+
+    if (proto !== 'udp') {
+        // TCP carries arbitrarily large messages; never truncate.
+        return response;
+    }
+
+    // Cap the datagram at the smaller of (the requestor's advertised size, clamped
+    // to [512, 4096]) and our own configured size (default 1232, chosen to avoid IP
+    // fragmentation). Honoring our cap regardless of what the resolver advertises is
+    // the point: a 4096-advertising resolver must still get TC=1 above 1232 rather
+    // than a fragmenting datagram that middleboxes drop.
+    const requestorMax = Math.min(Math.max(edns.udpPayloadSize || MIN_UDP_PAYLOAD, MIN_UDP_PAYLOAD), MAX_UDP_PAYLOAD);
+    const negotiated = Math.min(requestorMax, ourUdpPayloadSize());
+    const buffer = response.toBuffer();
+    if (buffer.length <= negotiated) {
+        return buffer;
+    }
+    // Too large for UDP: truncate to header+question+OPT (TC=1) and serialize the
+    // small packet here, so the UDP path always returns a ready Buffer and send
+    // never re-serializes.
+    return truncate(response, edns).toBuffer();
+};
+
+// Last-resort truncation if the socket itself rejects an oversized datagram.
+const truncatedResponse = (request, edns) => {
+    request.header.qr = 1;
+    request.header.aa = 1;
+    return truncate(request, edns);
+};
 
 const init = async () => {
     // create UDP server
-    createDNSUdpServer((request, send) => {
-        // filter out unsupported requests (eg. EDNS)
-        if (request.additionals && request.additionals.length) {
-            request.additionals = request.additionals.filter(additional => SUPPORTED_TYPES.has(additional.type));
-        }
+    const udpServer = createDNSUdpServer((request, send) => {
+        const edns = parseEdns(request);
 
-        dnsHandler(request)
-            .then(send)
+        dnsHandler(request, edns)
+            .then(response => send(finalizeResponse(response, edns, 'udp')))
             .catch(err => {
                 if (err.code === 'EMSGSIZE') {
-                    //too large response, send empty response instead
-                    const response = new dns2.Packet(request);
-                    response.header.qr = 1;
-                    response.header.aa = 1;
-                    send(response).catch(err => logger.error({ msg: 'Failed to send empty response', err }));
+                    // too large response, fall back to a truncated reply
+                    send(truncatedResponse(request, edns)).catch(err => logger.error({ msg: 'Failed to send truncated response', err }));
                     return;
                 }
                 logger.error({ msg: 'Failed to send DNS response', protocol: 'udp', err });
             });
-    })
-        .listen(config.dns.port, config.dns.host, () => {
-            logger.info({ msg: 'DNS server listening', protocol: 'udp', host: config.dns.host, port: config.dns.port });
-        })
-        .on('error', err => {
-            logger.error({ msg: 'DNS server error', protocol: 'udp', err });
-        });
+    });
+
+    udpServer.on('error', err => {
+        logger.error({ msg: 'DNS server error', protocol: 'udp', err });
+    });
 
     // create TCP server
-    createDNSTcpServer((request, send) => {
-        // filter out unsupported requests (eg. EDNS)
-        if (request.additionals && request.additionals.length) {
-            request.additionals = request.additionals.filter(additional => SUPPORTED_TYPES.has(additional.type));
-        }
+    const tcpServer = createDNSTcpServer((request, send) => {
+        const edns = parseEdns(request);
 
-        dnsHandler(request)
-            .then(send)
+        dnsHandler(request, edns)
+            .then(response => send(finalizeResponse(response, edns, 'tcp')))
             .catch(err => {
                 logger.error({ msg: 'Failed to send DNS response', protocol: 'tcp', err });
             });
-    })
-        .listen(config.dns.port, config.dns.host, () => {
+    });
+
+    tcpServer.on('error', err => {
+        let method = 'error';
+        if (err && ['ECONNRESET'].includes(err.code)) {
+            method = 'trace';
+        }
+        logger[method]({ msg: 'DNS server error', protocol: 'tcp', err });
+    });
+
+    await new Promise(resolve => {
+        udpServer.listen(config.dns.port, config.dns.host, () => {
+            logger.info({ msg: 'DNS server listening', protocol: 'udp', host: config.dns.host, port: config.dns.port });
+            resolve();
+        });
+    });
+
+    await new Promise(resolve => {
+        tcpServer.listen(config.dns.port, config.dns.host, () => {
             logger.info({ msg: 'DNS server listening', protocol: 'tcp', host: config.dns.host, port: config.dns.port });
-        })
-        .on('error', err => {
-            let method = 'error';
-            if (err && ['ECONNRESET'].includes(err.code)) {
-                method = 'trace';
-            }
-            logger[method]({ msg: 'DNS server error', protocol: 'tcp', err });
+            resolve();
         });
+    });
+
+    return { udpServer, tcpServer };
 };
 
 module.exports = init;
+
+// Exposed for unit testing
+module.exports.testables = { parseEdns, finalizeResponse };