Return REFUSED instead of SERVFAIL for unconfigured domains

https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful

geodns.go

@@ -162,6 +162,7 @@ func main() {
 	go monitor(Zones)
 	go Zones.statHatPoster()
 
+	setupRootZone()
 	setupPgeodnsZone(Zones)
 
 	dirName := *flagconfig

serve_test.go

@@ -26,6 +26,7 @@ func (s *ServeSuite) SetUpSuite(c *C) {
 
 	Zones := make(Zones)
 	setupPgeodnsZone(Zones)
+	setupRootZone()
 	zonesReadDir("dns", Zones)
 
 	go listenAndServe(PORT)
@@ -157,7 +158,11 @@ func (s *ServeSuite) TestCname(c *C) {
 
 	// Two possible results from this cname
 	c.Check(results, HasLen, 2)
+}
 
+func (s *ServeSuite) TestUnknownDomain(c *C) {
+	r := exchange(c, "no.such.domain.", dns.TypeAAAA)
+	c.Assert(r.Rcode, Equals, dns.RcodeRefused)
 }
 
 func (s *ServeSuite) TestServingAliases(c *C) {

zones.go

@@ -108,6 +108,14 @@ func setupPgeodnsZone(zones Zones) {
 	addHandler(zones, zoneName, Zone)
 }
 
+func setupRootZone() {
+	dns.HandleFunc(".", func(w dns.ResponseWriter, r *dns.Msg) {
+		m := new(dns.Msg)
+		m.SetRcode(r, dns.RcodeRefused)
+		w.WriteMsg(m)
+	})
+}
+
 func readZoneFile(zoneName, fileName string) (zone *Zone, zerr error) {
 	defer func() {
 		if r := recover(); r != nil {