--- /dev/null
+From 4139298d287eb5c57f4aa53c459cb02fc5be2495 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 19 Sep 2018 22:27:11 +0100
+Subject: [PATCH 2/2] Change behavior when RD bit unset in queries.
+
+Change anti cache-snooping behaviour with queries with the
+recursion-desired bit unset. Instead to returning SERVFAIL, we
+now always forward, and never answer from the cache. This
+allows "dig +trace" command to work.
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ CHANGELOG | 7 ++++++-
+ src/rfc1035.c | 8 +++-----
+ 2 files changed, 9 insertions(+), 6 deletions(-)
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -59,7 +59,12 @@ version 2.80
+ Returning null addresses is a useful technique for ad-blocking.
+ Thanks to Peter Russell for the suggestion.
+
+-
++ Change anti cache-snooping behaviour with queries with the
++ recursion-desired bit unset. Instead to returning SERVFAIL, we
++ now always forward, and never answer from the cache. This
++ allows "dig +trace" command to work.
++
++
+ version 2.79
+ Fix parsing of CNAME arguments, which are confused by extra spaces.
+ Thanks to Diego Aguirre for spotting the bug.
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1293,16 +1293,14 @@ size_t answer_request(struct dns_header
+ struct mx_srv_record *rec;
+ size_t len;
+
+- if (ntohs(header->ancount) != 0 ||
++ /* never answer queries with RD unset, to avoid cache snooping. */
++ if (!(header->hb3 & HB3_RD) ||
++ ntohs(header->ancount) != 0 ||
+ ntohs(header->nscount) != 0 ||
+ ntohs(header->qdcount) == 0 ||
+ OPCODE(header) != QUERY )
+ return 0;
+
+- /* always servfail queries with RD unset, to avoid cache snooping. */
+- if (!(header->hb3 & HB3_RD))
+- return setup_reply(header, qlen, NULL, F_SERVFAIL, 0);
+-
+ /* Don't return AD set if checking disabled. */
+ if (header->hb4 & HB4_CD)
+ sec_data = 0;