hosts plugin configured with fallthrough does not fall through for TXT records

[devurandom]

What happened:

Requests for TXT IN google.com. will not fall through with a config like the following:

.:53535 {
  log
  forward . /etc/resolv.conf
  hosts custom.hosts google.com {
    1.2.3.4 google.com
    fallthrough
  }
}

They receive no answer.

What you expected to happen:

I would expect requests that cannot be answered by the inlined hosts to fall through and receive an answer from the upstream DNS server.

How to reproduce it (as minimally and precisely as possible):

❯ drill txt google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 22124
;; flags: qr tc rd ra ; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.	IN	TXT

;; ANSWER SECTION:
google.com.	3348	IN	TXT	"google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o"
google.com.	3348	IN	TXT	"v=spf1 include:_spf.google.com ~all"
google.com.	3348	IN	TXT	"apple-domain-verification=30afIBcvSuDV2PLX"
google.com.	3348	IN	TXT	"onetrust-domain-verification=de01ed21f2fa4d8781cbc3ffb89cf4ef"
google.com.	3348	IN	TXT	"facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
google.com.	3348	IN	TXT	"webexdomainverification.8YX6G=6e6922db-e3e6-4a36-904e-a805c28087fa"
google.com.	3348	IN	TXT	"docusign=1b0a6754-49b1-4db5-8540-d2c12664b289"

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.53
;; WHEN: Thu May  9 16:25:21 2024
;; MSG SIZE  rcvd: 495

;; WARNING: The answer packet was truncated; you might want to
;; query again with TCP (-t argument), or EDNS0 (-b for buffer size)

❯ cat Corefile
.:53535 {
  log
  forward . /etc/resolv.conf
  hosts custom.hosts google.com {
    1.2.3.4 google.com
    fallthrough
  }
}

❯ podman run --network=host -ti -v /etc/resolv.conf:/etc/resolv.conf:ro -v ./Corefile:/Corefile:ro,z docker.io/coredns/coredns:1.11.1@sha256:1eeb4c7316bacb1d4c8ead65571cd92dd21e27359f0d4917f1a5822a73b75db1 -conf /Corefile
[WARNING] plugin/hosts: File does not exist: custom.hosts
.:53535
CoreDNS-1.11.1
linux/amd64, go1.20.7, ae2bbc2
[INFO] 127.0.0.1:44574 - 24023 "A IN google.com. udp 28 false 512" NOERROR qr,aa,rd 54 0.000076937s
[INFO] 127.0.0.1:34032 - 32774 "TXT IN google.com. udp 28 false 512" NOERROR qr,aa,rd 28 0.000059598s

❯ drill @localhost -p 53535 a google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 24023
;; flags: qr aa rd ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.	IN	A

;; ANSWER SECTION:
google.com.	3600	IN	A	1.2.3.4

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu May  9 16:33:10 2024
;; MSG SIZE  rcvd: 54

❯ drill @localhost -p 53535 txt google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 32774
;; flags: qr aa rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com.	IN	TXT

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu May  9 16:33:12 2024
;; MSG SIZE  rcvd: 28

Note how I receive NOERROR with 0 answers, compared to NOERROR with 7 answers when asking my upstream DNS server directly.

Anything else we need to know?:

The code responsible for this appears to be:

coredns/plugin/hosts/hosts.go

Lines 55 to 72 in a7ed346

	// Only on NXDOMAIN we will fallthrough.
	if len(answers) == 0 && !h.otherRecordsExist(qname) {
	if h.Fall.Through(qname) {
	return plugin.NextOrFailure(h.Name(), h.Next, ctx, w, r)
	}
	// We want to send an NXDOMAIN, but because of /etc/hosts' setup we don't have a SOA, so we make it SERVFAIL
	// to at least give an answer back to signals we're having problems resolving this.
	return dns.RcodeServerFailure, nil
	}
	m := new(dns.Msg)
	m.SetReply(r)
	m.Authoritative = true
	m.Answer = answers
	w.WriteMsg(m)
	return dns.RcodeSuccess, nil

Environment:

See podman invocation above.