Commit eb7a6642 authored by Diego dos Santos Fronza's avatar Diego dos Santos Fronza Committed by Ondřej Surý

Add test for the proposed fix

This test asserts that option "deny-answer-aliases" works correctly
when forwarding requests.

As a matter of example, the behavior expected for a forwarder BIND
instance, having an option such as deny-answer-aliases { "domain"; }
is that when forwarding a request for *.anything-but-domain, it is
expected that it will return SERVFAIL if any answer received has a CNAME
for "*.domain".

(cherry picked from commit 9bdb960a)
parent cf7b0de1
$TTL 86400
@ IN SOA malicious. admin.malicious. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns
ns IN A 10.53.0.4
target IN CNAME subdomain.rebind.
......@@ -55,3 +55,8 @@ zone "grafted" {
forward only;
forwarders { 10.53.0.2; };
};
zone "malicious." {
type master;
file "malicious.db";
};
......@@ -19,6 +19,7 @@ options {
listen-on-v6 { none; };
forward only;
forwarders { 10.53.0.4; };
deny-answer-aliases { "rebind"; };
dnssec-validation yes;
};
......@@ -26,3 +27,8 @@ zone "." {
type hint;
file "root.db";
};
zone "rebind" {
type master;
file "rebind.db";
};
$TTL 86400
@ IN SOA rebind. admin.rebind. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns
ns IN A 10.53.0.5
subdomain IN A 10.53.0.1
......@@ -218,5 +218,18 @@ grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that rebinding protection works in forward only mode ($n)"
ret=0
# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
# which in turn will return a CNAME for subdomain.rebind.
# to honor the option deny-answer-aliases { "rebind"; };
# ns5 should return a SERVFAIL to avoid potential rebinding attacks
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment