Commit 20f70f24 authored by Ondřej Surý's avatar Ondřej Surý

Merge branch...

Merge branch '1574-confidential-issue-rebinding-protection-fail-in-forwarding-mode-master' into 'master'

Resolve "DNS rebinding protection is ineffective when BIND is configured as a forwarding DNS server"

Closes #1574

See merge request !3342
parents f762ee66 157f2da8
Pipeline #38640 passed with stages
in 4 minutes and 1 second
5376. [bug] Fix DNS ineffective rebinding protection when BIND 9
is configured as a forwarding DNS server. [GL #1574]
(Thanks to Tobias Klein)
5375. [test] Fix timing issue in kasp test. [GL #1669]
5374. [bug] Statistics counters counting recursive clients and
......
$TTL 86400
@ IN SOA malicious. admin.malicious. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns
ns IN A 10.53.0.4
target IN CNAME subdomain.rebind.
......@@ -55,3 +55,8 @@ zone "grafted" {
forward only;
forwarders { 10.53.0.2; };
};
zone "malicious." {
type master;
file "malicious.db";
};
......@@ -19,6 +19,7 @@ options {
listen-on-v6 { none; };
forward only;
forwarders { 10.53.0.4; };
deny-answer-aliases { "rebind"; };
dnssec-validation yes;
};
......@@ -26,3 +27,8 @@ zone "." {
type hint;
file "root.db";
};
zone "rebind" {
type master;
file "rebind.db";
};
$TTL 86400
@ IN SOA rebind. admin.rebind. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns
ns IN A 10.53.0.5
subdomain IN A 10.53.0.1
......@@ -218,5 +218,18 @@ grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that rebinding protection works in forward only mode ($n)"
ret=0
# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
# which in turn will return a CNAME for subdomain.rebind.
# to honor the option deny-answer-aliases { "rebind"; };
# ns5 should return a SERVFAIL to avoid potential rebinding attacks
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -15,7 +15,9 @@
<itemizedlist>
<listitem>
<para>
None.
DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
</para>
</listitem>
</itemizedlist>
......
......@@ -7115,8 +7115,13 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
/*
* If the target name is a subdomain of the search domain, allow it.
*
* Note that if BIND is configured as a forwarding DNS server, the
* search domain will always match the root domain ("."), so we
* must also check whether forwarding is enabled so that filters
* can be applied; see GL #1574.
*/
if (dns_name_issubdomain(tname, &fctx->domain)) {
if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
return (true);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment