Add support for search-only resolvers

resolver/resolver.go

@@ -63,6 +63,7 @@ type Resolver struct {
 	// Special Options
 	VerifyDomain string
 	Search       []string
+	SearchOnly   bool
 
 	// logic interface
 	Conn ResolverConn `json:"-"`

resolver/resolvers.go

@@ -1,6 +1,7 @@
 package resolver
 
 import (
+	"errors"
 	"fmt"
 	"net"
 	"net/url"
@@ -157,6 +158,7 @@ func createResolver(resolverURL, source string) (*Resolver, bool, error) {
 		UpstreamBlockDetection: blockType,
 	}
 
+	// Parse search domains.
 	searchDomains := query.Get("search")
 	if searchDomains != "" {
 		err = configureSearchDomains(newResolver, strings.Split(searchDomains, ","), true)
@@ -165,6 +167,18 @@ func createResolver(resolverURL, source string) (*Resolver, bool, error) {
 		}
 	}
 
+	// Check if searchOnly is set and valid.
+	if query.Has("searchOnly") {
+		newResolver.SearchOnly = true
+
+		if query.Get("searchOnly") != "" {
+			return nil, false, errors.New("searchOnly may only be used as an empty parameter")
+		}
+		if len(newResolver.Search) == 0 {
+			return nil, false, errors.New("cannot use searchOnly without search scopes")
+		}
+	}
+
 	newResolver.Conn = resolverConnFactory(newResolver)
 	return newResolver, false, nil
 }

resolver/scopes.go

@@ -179,6 +179,7 @@ var (
 	errInsecureProtocol = errors.New("insecure protocols disabled")
 	errAssignedServer   = errors.New("assigned (dhcp) nameservers disabled")
 	errMulticastDNS     = errors.New("multicast DNS disabled")
+	errOutOfScope       = errors.New("query out of scope for resolver")
 )
 
 func (q *Query) checkCompliance() error {
@@ -236,5 +237,10 @@ func (resolver *Resolver) checkCompliance(_ context.Context, q *Query) error {
 		}
 	}
 
+	// Check if the resolver should only be used for the search scopes.
+	if resolver.SearchOnly && !domainInScope(q.dotPrefixedFQDN, resolver.Search) {
+		return errOutOfScope
+	}
+
 	return nil
 }