Commit 9bdb960a authored by Diego dos Santos Fronza's avatar Diego dos Santos Fronza Committed by Diego dos Santos Fronza

Add test for the proposed fix

This test asserts that option "deny-answer-aliases" works correctly
when forwarding requests.

As a matter of example, the behavior expected for a forwarder BIND
instance, having an option such as deny-answer-aliases { "domain"; }
is that when forwarding a request for *.anything-but-domain, it is
expected that it will return SERVFAIL if any answer received has a CNAME
for "*.domain".
parent af6a4de3
$TTL 86400
@ IN SOA malicious. admin.malicious. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns
ns IN A 10.53.0.4
target IN CNAME subdomain.rebind.
......@@ -55,3 +55,8 @@ zone "grafted" {
forward only;
forwarders { 10.53.0.2; };
};
zone "malicious." {
type master;
file "malicious.db";
};
......@@ -19,6 +19,7 @@ options {
listen-on-v6 { none; };
forward only;
forwarders { 10.53.0.4; };
deny-answer-aliases { "rebind"; };
dnssec-validation yes;
};
......@@ -26,3 +27,8 @@ zone "." {
type hint;
file "root.db";
};
zone "rebind" {
type master;
file "rebind.db";
};
$TTL 86400
@ IN SOA rebind. admin.rebind. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns
ns IN A 10.53.0.5
subdomain IN A 10.53.0.1
......@@ -217,5 +217,18 @@ grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that rebinding protection works in forward only mode ($n)"
ret=0
# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
# which in turn will return a CNAME for subdomain.rebind.
# to honor the option deny-answer-aliases { "rebind"; };
# ns5 should return a SERVFAIL to avoid potential rebinding attacks
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment