respond with REFUSED when max_concurrent is exceeded to avoid caching it (#4326)

Signed-off-by: Chris O'Haver <cohaver@infoblox.com>

plugin/forward/README.md

@@ -88,7 +88,7 @@ forward FROM TO... {
   * `no_rec` - optional argument that sets the RecursionDesired-flag of the dns-query used in health checking to `false`.
     The flag is default `true`.
 * `max_concurrent` **MAX** will limit the number of concurrent queries to **MAX**.  Any new query that would
-  raise the number of concurrent queries above the **MAX** will result in a SERVFAIL response. This
+  raise the number of concurrent queries above the **MAX** will result in a REFUSED response. This
   response does not count as a health failure. When choosing a value for **MAX**, pick a number
   at least greater than the expected *upstream query rate* * *latency* of the upstream servers.
   As an upper bound for **MAX**, consider that each concurrent query will use about 2kb of memory.

plugin/forward/forward.go

@@ -83,7 +83,7 @@ func (f *Forward) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg
 		defer atomic.AddInt64(&(f.concurrent), -1)
 		if count > f.maxConcurrent {
 			MaxConcurrentRejectCount.Add(1)
-			return dns.RcodeServerFailure, f.ErrLimitExceeded
+			return dns.RcodeRefused, f.ErrLimitExceeded
 		}
 	}
 

plugin/pkg/response/typify_test.go

@@ -60,6 +60,16 @@ func TestTypifyImpossible(t *testing.T) {
 	}
 }
 
+func TestTypifyRefused(t *testing.T) {
+	m := new(dns.Msg)
+	m.SetQuestion("foo.example.org.", dns.TypeA)
+	m.Rcode = dns.RcodeRefused
+	mt, _ := Typify(m, time.Now().UTC())
+	if mt != OtherError {
+		t.Errorf("Refused message not typified as OtherError, got %s", mt)
+	}
+}
+
 func delegationMsg() *dns.Msg {
 	return &dns.Msg{
 		Ns: []dns.RR{