rpms / bind

Clone
Source Code
GIT

Blame SOURCES/bind-9.11-rh1832812.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta c9s-sig-hyperscale
  1.   a9e10b8833b35181fb91f3da4a441abac3bdb1ec
  2.   SOURCES
  3.   bind-9.11-rh1832812.patch
Blob History Raw
db4030 
diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db
db4030 
new file mode 100644
db4030 
index 0000000000000000000000000000000000000000..b47208c1640eaf40d9c23bfb4598000fd068b814
db4030 
--- /dev/null
db4030 
+++ b/bin/tests/system/forward/ns4/malicious.db
db4030 
@@ -0,0 +1,22 @@
db4030 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
db4030 
+;
db4030 
+; This Source Code Form is subject to the terms of the Mozilla Public
db4030 
+; License, v. 2.0. If a copy of the MPL was not distributed with this
db4030 
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
db4030 
+;
db4030 
+; See the COPYRIGHT file distributed with this work for additional
db4030 
+; information regarding copyright ownership.
db4030 
+
db4030 
+$TTL    86400
db4030 
+@       IN      SOA     malicious. admin.malicious. (
db4030 
+                              1         ; Serial
db4030 
+                         604800         ; Refresh
db4030 
+                          86400         ; Retry
db4030 
+                        2419200         ; Expire
db4030 
+                          86400 )       ; Negative Cache TTL
db4030 
+
db4030 
+@           IN    NS      ns
db4030 
+
db4030 
+ns          IN    A       10.53.0.4
db4030 
+
db4030 
+target      IN    CNAME   subdomain.rebind.
db4030 
diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
db4030 
index 643e1271b53ae85e91a169413259afe84dfe1fee..fee76b41e5d46d5bfdb9fc10bd6e914436417a2b 100644
db4030 
--- a/bin/tests/system/forward/ns4/named.conf.in
db4030 
+++ b/bin/tests/system/forward/ns4/named.conf.in
db4030 
@@ -55,3 +55,8 @@ zone "grafted" {
db4030 
 	forward only;
db4030 
 	forwarders { 10.53.0.2; };
db4030 
 };
db4030 
+
db4030 
+zone "malicious." {
db4030 
+	type master;
db4030 
+	file "malicious.db";
db4030 
+};
db4030 
diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in
db4030 
index 0e65985d52634654cf3ebb757cd1f0296e5d9cb6..6742222d4d088807ce1765c1073ef8ba16768d9c 100644
db4030 
--- a/bin/tests/system/forward/ns5/named.conf.in
db4030 
+++ b/bin/tests/system/forward/ns5/named.conf.in
db4030 
@@ -19,9 +19,16 @@ options {
db4030 
 	listen-on-v6 { none; };
db4030 
 	forward only;
db4030 
 	forwarders { 10.53.0.4; };
db4030 
+	deny-answer-aliases { "rebind"; };
db4030 
+	dnssec-validation yes;
db4030 
 };
db4030
db4030 
 zone "." {
db4030 
 	type hint;
db4030 
 	file "root.db";
db4030 
 };
db4030 
+
db4030 
+zone "rebind" {
db4030 
+	type master;
db4030 
+	file "rebind.db";
db4030 
+};
db4030 
diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db
db4030 
new file mode 100644
db4030 
index 0000000000000000000000000000000000000000..3e71327a4856ab9a164db475423327de0184dd81
db4030 
--- /dev/null
db4030 
+++ b/bin/tests/system/forward/ns5/rebind.db
db4030 
@@ -0,0 +1,22 @@
db4030 
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
db4030 
+;
db4030 
+; This Source Code Form is subject to the terms of the Mozilla Public
db4030 
+; License, v. 2.0. If a copy of the MPL was not distributed with this
db4030 
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
db4030 
+;
db4030 
+; See the COPYRIGHT file distributed with this work for additional
db4030 
+; information regarding copyright ownership.
db4030 
+
db4030 
+$TTL    86400
db4030 
+@       IN      SOA     rebind. admin.rebind. (
db4030 
+                              1         ; Serial
db4030 
+                         604800         ; Refresh
db4030 
+                          86400         ; Retry
db4030 
+                        2419200         ; Expire
db4030 
+                          86400 )       ; Negative Cache TTL
db4030 
+
db4030 
+@           IN    NS    ns
db4030 
+
db4030 
+ns          IN    A     10.53.0.5
db4030 
+
db4030 
+subdomain   IN    A     10.53.0.1
db4030 
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
db4030 
index 8c64960..1da4136 100644
db4030 
--- a/bin/tests/system/forward/tests.sh
db4030 
+++ b/bin/tests/system/forward/tests.sh
db4030 
@@ -143,5 +143,18 @@ sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l`
db4030 
 if [ $ret != 0 ]; then echo_i "failed"; fi
db4030 
 status=`expr $status + $ret`
db4030
db4030 
+n=$((n+1))
db4030 
+echo_i "checking that rebinding protection works in forward only mode ($n)"
db4030 
+ret=0
db4030 
+# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
db4030 
+# which in turn will return a CNAME for subdomain.rebind.
db4030 
+# to honor the option deny-answer-aliases { "rebind"; };
db4030 
+# ns5 should return a SERVFAIL to avoid potential rebinding attacks
db4030 
+dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
db4030 
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
db4030 
+if [ $ret != 0 ]; then echo_i "failed"; fi
db4030 
+status=$((status+ret))
db4030 
+
db4030 
+
db4030 
 echo_i "exit status: $status"
db4030 
 [ $status -eq 0 ] || exit 1
db4030 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
db4030 
index a8cbb10..39d33e0 100644
db4030 
--- a/lib/dns/resolver.c
db4030 
+++ b/lib/dns/resolver.c
db4030 
@@ -6413,8 +6413,10 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
db4030 
 	/*
db4030 
 	 * If the target name is a subdomain of the search domain, allow it.
db4030 
 	 */
db4030 
-	if (dns_name_issubdomain(tname, &fctx->domain))
db4030 
+	if ((fctx->fwdpolicy == dns_fwdpolicy_none) &&
db4030 
+		dns_name_issubdomain(tname, &fctx->domain)) {
db4030 
 		return (ISC_TRUE);
db4030 
+	}
db4030
db4030 
 	/*
db4030 
 	 * Otherwise, apply filters.

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation