Partial backport of:
 
commit 333221862ecbebde60dd16e7ca17d26444e62f50
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon Apr 8 11:19:38 2019 +0200
 
    resolv: Remove RES_INSECURE1, RES_INSECURE2
    
    Always perform the associated security checks.
 
The constants and their debug output handling are preserve in this
backport.
 
diff --git a/resolv/res_send.c b/resolv/res_send.c
index 705ecb7189d215c2..c9b02cca130bc20d 100644
--- a/resolv/res_send.c
+++ b/resolv/res_send.c
@@ -1324,31 +1324,25 @@ send_dg(res_state statp,
 			 */
 			goto wait;
 		}
-		if (!(statp->options & RES_INSECURE1) &&
-		    !res_ourserver_p(statp, &from)) {
-			/*
-			 * response from wrong server? ignore it.
-			 * XXX - potential security hazard could
-			 *	 be detected here.
-			 */
-			goto wait;
-		}
-		if (!(statp->options & RES_INSECURE2)
-		    && (recvresp1 || !res_queriesmatch(buf, buf + buflen,
+
+		/* Paranoia check.  Due to the connected UDP socket,
+		   the kernel has already filtered invalid addresses
+		   for us.  */
+		if (!res_ourserver_p(statp, &from))
+		  goto wait;
+
+		/* Check for the correct header layout and a matching
+		   question.  */
+		if ((recvresp1 || !res_queriesmatch(buf, buf + buflen,
 						       *thisansp,
 						       *thisansp
 						       + *thisanssizp))
 		    && (recvresp2 || !res_queriesmatch(buf2, buf2 + buflen2,
 						       *thisansp,
 						       *thisansp
-						       + *thisanssizp))) {
-			/*
-			 * response contains wrong query? ignore it.
-			 * XXX - potential security hazard could
-			 *	 be detected here.
-			 */
-			goto wait;
-		}
+						       + *thisanssizp)))
+		  goto wait;
+
 		if (anhp->rcode == SERVFAIL ||
 		    anhp->rcode == NOTIMP ||
 		    anhp->rcode == REFUSED) {