Cloak plugin: reject uncloaked records, except NS & SOA

Fixes #2220

Author: jedisct1

dnscrypt-proxy/plugin_cloak.go

@@ -138,6 +138,10 @@ func (plugin *PluginCloak) Eval(pluginsState *PluginsState, msg *dns.Msg) error
 	question := msg.Question[0]
 	if question.Qclass != dns.ClassINET ||
 		(question.Qtype != dns.TypeA && question.Qtype != dns.TypeAAAA && question.Qtype != dns.TypePTR) {
+		if question.Qclass != dns.ClassINET || (question.Qtype != dns.TypeNS || question.Qtype == dns.TypeSOA) {
+			pluginsState.action = PluginsActionReject
+			pluginsState.returnCode = PluginsReturnCodeCloak
+		}
 		return nil
 	}
 	now := time.Now()