From e7545f2eac48ae9f35ba4a080d6e0b6ecfd054a4 Mon Sep 17 00:00:00 2001
From: Nick Hill <mykola.khyl@gmail.com>
Date: Fri, 4 Oct 2024 12:34:41 -0500
Subject: [PATCH] net/dns/resolver: translate 5xx DoH server errors into
 SERVFAIL DNS responses

If a DoH server returns an HTTP server error, rather than a SERVFAIL within
a successful HTTP response, we should handle it in the same way as SERVFAIL.

Updates #13571

Signed-off-by: Nick Hill <mykola.khyl@gmail.com>
---
 net/dns/resolver/forwarder.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/dns/resolver/forwarder.go b/net/dns/resolver/forwarder.go
index 5920b7f29..0bf904070 100644
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -487,6 +487,10 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 	defer hres.Body.Close()
 	if hres.StatusCode != 200 {
 		metricDNSFwdDoHErrorStatus.Add(1)
+		if hres.StatusCode/100 == 5 {
+			// Translate 5xx HTTP server errors into SERVFAIL DNS responses.
+			return nil, fmt.Errorf("%w: %s", errServerFailure, hres.Status)
+		}
 		return nil, errors.New(hres.Status)
 	}
 	if ct := hres.Header.Get("Content-Type"); ct != dohType {