From 557de3210e8d3d5da8c85dfc94042620049f4292 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 18 Jan 2022 00:19:47 +1100 Subject: [PATCH] Add tests for forwarder cache poisoning scenarios - Check that an NS in an authority section returned from a forwarder which is above the name in a configured "forward first" or "forward only" zone (i.e., net/NS in a response from a forwarder configured for local.net) is not cached. - Test that a DNAME for a parent domain will not be cached when sent in a response from a forwarder configured to answer for a child. - Check that glue is rejected if its name falls below that of zone configured locally. - Check that an extra out-of-bailiwick data in the answer section is not cached (this was already working correctly, but was not explicitly tested before). - v9_11 backport: Revert primary/secondary to master/slave, backport rndc helper, backport ns8 config. (cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) (cherry picked from commit 29f08170f05c2c96fb67f3b561b46aa0bae356f7) --- bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ bin/tests/system/forward/clean.sh | 2 + bin/tests/system/forward/ns1/diditwork.net.db | 20 +++ bin/tests/system/forward/ns1/named.conf.in | 20 +++ bin/tests/system/forward/ns1/net.example.lll | 13 ++ bin/tests/system/forward/ns1/spoofed.net.db | 20 +++ bin/tests/system/forward/ns1/sub.local.net.db | 20 +++ bin/tests/system/forward/ns10/fakenet.zone | 15 ++ bin/tests/system/forward/ns10/fakenet2.zone | 13 ++ .../system/forward/ns10/fakesublocalnet.zone | 13 ++ .../system/forward/ns10/fakesublocaltld.zone | 13 ++ bin/tests/system/forward/ns10/named.conf.in | 51 +++++++ bin/tests/system/forward/ns10/net.example.lll | 13 ++ bin/tests/system/forward/ns10/spoofednet.zone | 14 ++ bin/tests/system/forward/ns4/named.conf.in | 5 + bin/tests/system/forward/ns4/sibling.tld.db | 20 +++ bin/tests/system/forward/ns8/named.conf.in | 33 +++++ bin/tests/system/forward/ns8/root.db | 11 ++ bin/tests/system/forward/ns8/sub.local.tld.db | 13 ++ bin/tests/system/forward/ns9/local.net.db | 14 ++ bin/tests/system/forward/ns9/local.tld.db | 13 ++ bin/tests/system/forward/ns9/named1.conf.in | 65 +++++++++ bin/tests/system/forward/ns9/named2.conf.in | 68 +++++++++ bin/tests/system/forward/ns9/named3.conf.in | 48 +++++++ bin/tests/system/forward/ns9/named4.conf.in | 45 ++++++ bin/tests/system/forward/ns9/root.db | 11 ++ bin/tests/system/forward/prereq.sh | 35 +++++ bin/tests/system/forward/setup.sh | 3 + bin/tests/system/forward/tests.sh | 130 +++++++++++++++++ bin/tests/system/ifconfig.sh | 8 +- 30 files changed, 881 insertions(+), 4 deletions(-) create mode 100644 bin/tests/system/forward/ans11/ans.py create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db create mode 100644 bin/tests/system/forward/ns1/net.example.lll create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db create mode 100644 bin/tests/system/forward/ns10/fakenet.zone create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone create mode 100644 bin/tests/system/forward/ns10/named.conf.in create mode 100644 bin/tests/system/forward/ns10/net.example.lll create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db create mode 100644 bin/tests/system/forward/ns8/named.conf.in create mode 100644 bin/tests/system/forward/ns8/root.db create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db create mode 100644 bin/tests/system/forward/ns9/local.net.db create mode 100644 bin/tests/system/forward/ns9/local.tld.db create mode 100644 bin/tests/system/forward/ns9/named1.conf.in create mode 100644 bin/tests/system/forward/ns9/named2.conf.in create mode 100644 bin/tests/system/forward/ns9/named3.conf.in create mode 100644 bin/tests/system/forward/ns9/named4.conf.in create mode 100644 bin/tests/system/forward/ns9/root.db create mode 100644 bin/tests/system/forward/prereq.sh diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py new file mode 100644 index 0000000..2956cf6 --- /dev/null +++ b/bin/tests/system/forward/ans11/ans.py @@ -0,0 +1,136 @@ +############################################################################ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. +############################################################################ + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + +############################################################################ +# Respond to a DNS query. +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, qname)) + print("%s %s" % (typename, qname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + if rrtype == A: + tld=qname.split('.')[-2] + '.' + ns="local." + tld + r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) + r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) + r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) + elif rrtype == NS: + r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) + elif rrtype == SOA: + r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) + else: + r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) + r.flags |= dns.flags.AA + return r + +def sigterm(signum, frame): + print ("Shutting down now...") + os.remove('ans.pid') + running = False + sys.exit(0) + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.11" +ip6 = "fd92:7065:b8e:ffff::11" + +try: port=int(os.environ['PORT']) +except: port=5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False +signal.signal(signal.SIGTERM, sigterm) + +f = open('ans.pid', 'w') +pid = os.getpid() +print (pid, file=f) +f.close() + +running = True + +print ("Listening on %s port %d" % (ip4, port)) +if havev6: + print ("Listening on %s port %d" % (ip6, port)) +print ("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print ("Query received on %s" % + (ip4 if s == query4_socket else ip6), end=" ") + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh index 3052d27..4ab2a03 100644 --- a/bin/tests/system/forward/clean.sh +++ b/bin/tests/system/forward/clean.sh @@ -10,8 +10,10 @@ # # Clean up after forward tests. # +rm -f ./ans11/query.log rm -f dig.out.* rm -f */named.conf rm -f */named.memstats rm -f */named.run +rm -f ./*/named_dump.db rm -f ns*/named.lock diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db new file mode 100644 index 0000000..be9a7f7 --- /dev/null +++ b/bin/tests/system/forward/ns1/diditwork.net.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + TXT "recursed" +ns A 10.53.0.1 diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in index 7ce81dd..442b928 100644 --- a/bin/tests/system/forward/ns1/named.conf.in +++ b/bin/tests/system/forward/ns1/named.conf.in @@ -54,3 +54,23 @@ zone "example5." { zone "example6" { type forward; }; + +zone "diditwork.net" { + type master; + file "diditwork.net.db"; +}; + +zone "spoofed.net" { + type master; + file "spoofed.net.db"; +}; + +zone "sub.local.net" { + type master; + file "sub.local.net.db"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll new file mode 100644 index 0000000..d179853 --- /dev/null +++ b/bin/tests/system/forward/ns1/net.example.lll @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net.example.lll. SOA . . 0 0 0 0 0 +net.example.lll. NS attackSecureDomain.net. +didItWork.net.example.lll. TXT "if you can see this record the attack worked" diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db new file mode 100644 index 0000000..d498d5f --- /dev/null +++ b/bin/tests/system/forward/ns1/spoofed.net.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +sub TXT "recursed" diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db new file mode 100644 index 0000000..be9a7f7 --- /dev/null +++ b/bin/tests/system/forward/ns1/sub.local.net.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + TXT "recursed" +ns A 10.53.0.1 diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone new file mode 100644 index 0000000..14e5c77 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakenet.zone @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net. SOA . . 0 0 0 0 0 +net. NS attackSecureDomain.net. +attackSecureDomain.net. A 10.53.0.10 +didItWork.net. TXT "if you can see this record the attack worked" +ns.spoofed.net. A 10.53.0.10 diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone new file mode 100644 index 0000000..7ca28a9 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakenet2.zone @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net2. SOA . . 0 0 0 0 0 +net2. NS attackSecureDomain.net. +net2. DNAME net.example.lll. diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone new file mode 100644 index 0000000..6caa071 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +sub.local.net. SOA . . 0 0 0 0 0 +sub.local.net. NS ns.spoofed.net. +sub.local.net. TXT "if you see this attacker overrode local delegation" diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone new file mode 100644 index 0000000..6a431de --- /dev/null +++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 +sub.local.tld. 3600 IN NS ns.sub.local.tld. +sub.local.tld. 3600 IN TXT bad +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in new file mode 100644 index 0000000..025c108 --- /dev/null +++ b/bin/tests/system/forward/ns10/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + minimal-responses no; +}; + +zone "net." { + type master; + file "fakenet.zone"; +}; + +zone "spoofed.net." { + type master; + file "spoofednet.zone"; +}; + +zone "sub.local.net." { + type master; + file "fakesublocalnet.zone"; +}; + +zone "net2" { + type master; + file "fakenet2.zone"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; + +zone "sub.local.tld." { + type master; + file "fakesublocaltld.zone"; +}; diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll new file mode 100644 index 0000000..d179853 --- /dev/null +++ b/bin/tests/system/forward/ns10/net.example.lll @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net.example.lll. SOA . . 0 0 0 0 0 +net.example.lll. NS attackSecureDomain.net. +didItWork.net.example.lll. TXT "if you can see this record the attack worked" diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone new file mode 100644 index 0000000..13921a0 --- /dev/null +++ b/bin/tests/system/forward/ns10/spoofednet.zone @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +spoofed.net. SOA . . 0 0 0 0 0 +spoofed.net. NS ns.spoofed.net. +ns.spoofed.net. A 10.53.0.10 +spoofed.net. TXT "this record is clearly spoofed" diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in index fee76b4..5fda95c 100644 --- a/bin/tests/system/forward/ns4/named.conf.in +++ b/bin/tests/system/forward/ns4/named.conf.in @@ -60,3 +60,8 @@ zone "malicious." { type master; file "malicious.db"; }; + +zone "sibling.tld" { + type master; + file "sibling.tld.db"; +}; diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db new file mode 100644 index 0000000..58037d0 --- /dev/null +++ b/bin/tests/system/forward/ns4/sibling.tld.db @@ -0,0 +1,20 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA malicious. admin.malicious. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL + +@ IN NS ns + +ns IN A 10.53.0.4 diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in new file mode 100644 index 0000000..9260f69 --- /dev/null +++ b/bin/tests/system/forward/ns8/named.conf.in @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + forwarders { 10.53.0.2; }; // returns referrals + forward first; + dnssec-validation yes; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "sub.local.tld" { + type master; + file "sub.local.tld.db"; +}; diff --git a/bin/tests/system/forward/ns8/root.db b/bin/tests/system/forward/ns8/root.db new file mode 100644 index 0000000..4f30322 --- /dev/null +++ b/bin/tests/system/forward/ns8/root.db @@ -0,0 +1,11 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db new file mode 100644 index 0000000..eb20683 --- /dev/null +++ b/bin/tests/system/forward/ns8/sub.local.tld.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 +sub.local.tld. 3600 IN NS ns.sub.local.tld. +sub.local.tld. 3600 IN TXT good +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db new file mode 100644 index 0000000..2c971e1 --- /dev/null +++ b/bin/tests/system/forward/ns9/local.net.db @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +local.net. 3600 IN SOA . . 0 0 0 0 0 +local.net. 3600 IN NS localhost. +ns.local.net. 3600 IN A 10.53.0.9 +txt.local.net. 3600 IN TXT "something in the local auth zone" +sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db new file mode 100644 index 0000000..5940391 --- /dev/null +++ b/bin/tests/system/forward/ns9/local.tld.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +local.tld. 3600 IN SOA . . 0 0 0 0 0 +local.tld. 3600 IN NS localhost. +sub.local.tld. 3600 IN NS ns.sub.local.tld. +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in new file mode 100644 index 0000000..943e037 --- /dev/null +++ b/bin/tests/system/forward/ns9/named1.conf.in @@ -0,0 +1,65 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +server 10.53.0.11 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "attacksecuredomain.net." { + type forward; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net2." { + type forward; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net3." { + type forward; + forwarders { 10.53.0.11; }; +}; + +zone "local.net." { + type master; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in new file mode 100644 index 0000000..5a17d19 --- /dev/null +++ b/bin/tests/system/forward/ns9/named2.conf.in @@ -0,0 +1,68 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +server 10.53.0.11 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "attacksecuredomain.net." { + type forward; + forward only; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net2." { + type forward; + forward only; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net3." { + type forward; + forward only; + forwarders { 10.53.0.11; }; +}; + +zone "local.net." { + type master; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in new file mode 100644 index 0000000..1e70d1a --- /dev/null +++ b/bin/tests/system/forward/ns9/named3.conf.in @@ -0,0 +1,48 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; + forward only; + forwarders { 10.53.0.10; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "local.net." { + type master; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in new file mode 100644 index 0000000..6f7b107 --- /dev/null +++ b/bin/tests/system/forward/ns9/named4.conf.in @@ -0,0 +1,45 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "local.tld." { + type master; + file "local.tld.db"; +}; diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db new file mode 100644 index 0000000..4f30322 --- /dev/null +++ b/bin/tests/system/forward/ns9/root.db @@ -0,0 +1,11 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/forward/prereq.sh b/bin/tests/system/forward/prereq.sh new file mode 100644 index 0000000..53fb581 --- /dev/null +++ b/bin/tests/system/forward/prereq.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +if test -n "$PYTHON" +then + if $PYTHON -c "import dns" 2> /dev/null + then + : + else + echo_i "This test requires the dnspython module." >&2 + exit 1 + fi +else + echo_i "This test requires Python and the dnspython module." >&2 + exit 1 +fi + +if $PERL -e 'use Net::DNS;' 2>/dev/null +then + : +else + echo_i "This test requires the Net::DNS library." >&2 + exit 1 +fi diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh index d64579e..b89cb30 100644 --- a/bin/tests/system/forward/setup.sh +++ b/bin/tests/system/forward/setup.sh @@ -19,3 +19,6 @@ copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named1.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index 1da4136..f0907f2 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -12,6 +12,14 @@ SYSTEMTESTTOP=.. DIGOPTS="-p ${PORT}" +dig_with_opts() ( + "$DIG" -p "$PORT" "$@" +) + +rndccmd() { + "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@" +} + root=10.53.0.1 hidden=10.53.0.2 f1=10.53.0.3 @@ -156,5 +164,127 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +# +# Check various spoofed response scenarios. The same tests will be +# run twice, with "forward first" and "forward only" configurations. +# +run_spooftests () { + n=$((n+1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +} + +echo_i "checking spoofed response scenarios with forward first zones" +run_spooftests + +copy_setports ns9/named2.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +echo_i "rechecking spoofed response scenarios with forward only zones" +run_spooftests + +# +# This scenario expects the spoofed response to succeed. The tests are +# similar to the ones above, but not identical. +# +echo_i "rechecking spoofed response scenarios with 'forward only' set globally" +copy_setports ns9/named3.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +# check 'net' is poisoned. +dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +# check 'sub.local.net' is poisoned. +dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +# check that net2/DNAME is cached +dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# This test doesn't use any forwarder clauses but is here because it +# is similar to forwarders, as the set of servers that can populate +# the namespace is defined by the zone content. +# +echo_i "rechecking spoofed response scenarios glue below local zone" +copy_setports ns9/named4.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking sibling glue below zone ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +# check for glue A record for sub.local.tld is not used +dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh index ed45417..03a24fc 100755 --- a/bin/tests/system/ifconfig.sh +++ b/bin/tests/system/ifconfig.sh @@ -12,10 +12,10 @@ # # Set up interface aliases for bind9 system tests. # -# IPv4: 10.53.0.{1..8} RFC 1918 +# IPv4: 10.53.0.{1..11} RFC 1918 # 10.53.1.{0..2} # 10.53.2.{0..2} -# IPv6: fd92:7065:b8e:ffff::{1..8} ULA +# IPv6: fd92:7065:b8e:ffff::{1..11} ULA # fd92:7065:b8e:99ff::{1..2} # fd92:7065:b8e:ff::{1..2} # @@ -73,7 +73,7 @@ case "$1" in 2) ipv6="00" ;; *) ipv6="" ;; esac - for ns in 1 2 3 4 5 6 7 8 + for ns in 1 2 3 4 5 6 7 8 9 10 11 do [ $i -gt 0 -a $ns -gt 2 ] && break int=`expr $i \* 10 + $ns - 1` @@ -179,7 +179,7 @@ case "$1" in 2) ipv6="00" ;; *) ipv6="" ;; esac - for ns in 8 7 6 5 4 3 2 1 + for ns in 11 10 9 8 7 6 5 4 3 2 1 do [ $i -gt 0 -a $ns -gt 2 ] && continue int=`expr $i \* 10 + $ns - 1` -- 2.38.1