From 69075b166f43f24a37af71b55cf2c10c915e5b31 Mon Sep 17 00:00:00 2001
From: Jason Volk <jason@zemos.net>
Date: Sat, 13 Sep 2025 06:51:50 +0000
Subject: [PATCH] Add config option to toggle dns case randomization.

Signed-off-by: Jason Volk <jason@zemos.net>
---
 src/core/config/mod.rs      | 12 ++++++++++++
 src/service/resolver/dns.rs |  2 +-
 tuwunel-example.toml        | 12 ++++++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
index 63e4a2be..a3e11713 100644
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -385,6 +385,18 @@ pub struct Config {
 	#[serde(default)]
 	pub dns_passthru_appservices: bool,
 
+	/// Enable or disable case randomization for DNS queries. This is a security
+	/// mitigation where answer spoofing is prevented by having to exactly match
+	/// the question. Occasional errors seen in logs which may have lead you
+	/// here tend to be from overloading DNS. Nevertheless for servers which
+	/// are truly incapable this can be set to false.
+	///
+	/// This currently defaults to false due to user reports regarding some
+	/// popular DNS caches which may or may not be patched soon. It may again
+	/// default to true in an upcoming release.
+	#[serde(default)]
+	pub dns_case_randomization: bool,
+
 	/// Max request size for file uploads in bytes. Defaults to 20MB.
 	///
 	/// default: 20971520
diff --git a/src/service/resolver/dns.rs b/src/service/resolver/dns.rs
index 0b1c2db4..23be4647 100644
--- a/src/service/resolver/dns.rs
+++ b/src/service/resolver/dns.rs
@@ -121,7 +121,7 @@ impl Resolver {
 		opts.try_tcp_on_error = config.dns_tcp_fallback;
 		opts.num_concurrent_reqs = 1;
 		opts.edns0 = true;
-		opts.case_randomization = true;
+		opts.case_randomization = config.dns_case_randomization;
 		opts.preserve_intermediates = true;
 		opts.ip_strategy = match config.ip_lookup_strategy {
 			| 1 => LookupIpStrategy::Ipv4Only,
diff --git a/tuwunel-example.toml b/tuwunel-example.toml
index e121893b..8ef94ed7 100644
--- a/tuwunel-example.toml
+++ b/tuwunel-example.toml
@@ -302,6 +302,18 @@
 #
 #dns_passthru_appservices = false
 
+# Enable or disable case randomization for DNS queries. This is a security
+# mitigation where answer spoofing is prevented by having to exactly match
+# the question. Occasional errors seen in logs which may have lead you
+# here tend to be from overloading DNS. Nevertheless for servers which
+# are truly incapable this can be set to false.
+#
+# This currently defaults to false due to user reports regarding some
+# popular DNS caches which may or may not be patched soon. It may again
+# default to true in an upcoming release.
+#
+#dns_case_randomization = false
+
 # Max request size for file uploads in bytes. Defaults to 20MB.
 #
 #max_request_size = 20971520