Commit bad81eac authored by Thomas Markwalder's avatar Thomas Markwalder
Browse files

[3383] Log when D2 is listening on non-loopback address

Added a check in D2Process to detect when D2 is using an
address other than loopback on which to listen and issue
a log warning.
Added simple unit tests that permit visual log inspection
barring a simple, automated way to do it.
parent 4fc6976f
......@@ -254,6 +254,14 @@ This is a debug message issued when the DHCP-DDNS application encountered an
error while decoding a response to DNS Update message. Typically, this error
will be encountered when a response message is malformed.
% DHCP_DDNS_NOT_ON_LOOPBACK The DHCP-DDNS server has been configured to listen on %1 which is not the local loopback. This is an insecure configuration supported for testing purposes only.
This is a warning message issued When the DHCP-DDNS server is configured to
listen at an address other than the loopback address (127.0.0.1 or ::1). It is
possible for a malicious attacker to send bogus NameChangeRequests to it and
change entries in the DNS. For this reason, addresses other than the IPv4 or
IPv6 loopback addresses should only be used for testing purposes. A future
version of Kea will implement authentication to guard against such attacks.
% DHCP_DDNS_NO_ELIGIBLE_JOBS although there are queued requests, there are pending transactions for each Queue count: %1 Transaction count: %2
This is a debug message issued when all of the queued requests represent clients
for which there is a an update already in progress. This may occur under
......
......@@ -329,6 +329,13 @@ D2Process::reconfigureQueueMgr() {
std::string ip_address;
uint32_t port;
getCfgMgr()->getContext()->getParam("ip_address", ip_address);
// Warn the user if the server address is not the loopback.
/// @todo Remove this once we provide a secure mechanism.
if (ip_address != "127.0.0.1" && ip_address != "::1") {
LOG_WARN(dctl_logger, DHCP_DDNS_NOT_ON_LOOPBACK).arg(ip_address);
}
getCfgMgr()->getContext()->getParam("port", port);
isc::asiolink::IOAddress addr(ip_address);
......
......@@ -602,4 +602,52 @@ TEST_F(D2ProcessTest, fatalErrorShutdown) {
elapsed.total_milliseconds() <= 2100);
}
/// @brief Used to permit visual inspection of logs to ensure
/// DHCP_DDNS_NOT_ON_LOOPBACK is issued when ip_address is not
/// loopback.
TEST_F(D2ProcessTest, notLoopbackTest) {
const char* config = "{ "
"\"interface\" : \"\" , "
"\"ip_address\" : \"0.0.0.0\" , "
"\"port\" : 53001, "
"\"tsig_keys\": [],"
"\"forward_ddns\" : {},"
"\"reverse_ddns\" : {}"
"}";
// Note we don't care nor can we predict if this
// succeeds or fails. The address and port may or may
// not be valid on the test host.
runWithConfig(config);
}
/// @brief Used to permit visual inspection of logs to ensure
/// DHCP_DDNS_NOT_ON_LOOPBACK is not issued.
TEST_F(D2ProcessTest, v4LoopbackTest) {
const char* config = "{ "
"\"interface\" : \"\" , "
"\"ip_address\" : \"127.0.0.1\" , "
"\"port\" : 53001, "
"\"tsig_keys\": [],"
"\"forward_ddns\" : {},"
"\"reverse_ddns\" : {}"
"}";
ASSERT_TRUE(runWithConfig(config));
}
/// @brief Used to permit visual inspection of logs to ensure
/// DHCP_DDNS_NOT_ON_LOOPBACK is not issued.
TEST_F(D2ProcessTest, v6LoopbackTest) {
const char* config = "{ "
"\"interface\" : \"\" , "
"\"ip_address\" : \"::1\" , "
"\"port\" : 53001, "
"\"tsig_keys\": [],"
"\"forward_ddns\" : {},"
"\"reverse_ddns\" : {}"
"}";
ASSERT_TRUE(runWithConfig(config));
}
} // end of anonymous namespace
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment