From bd8fdeb2d1ece6db6dfe9fdc024f3a81440c1c0c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 18 Jan 2022 00:19:47 +1100 Subject: [PATCH] Add tests for forwarder cache poisoning scenarios - Check that an NS in an authority section returned from a forwarder which is above the name in a configured "forward first" or "forward only" zone (i.e., net/NS in a response from a forwarder configured for local.net) is not cached. - Test that a DNAME for a parent domain will not be cached when sent in a response from a forwarder configured to answer for a child. - Check that glue is rejected if its name falls below that of zone configured locally. - Check that an extra out-of-bailiwick data in the answer section is not cached (this was already working correctly, but was not explicitly tested before). (cherry picked from commit bf3fffff67e1de78e9387a93674d471bf4291604) (cherry picked from commit 59d1eb3ff810145c8098a0a4fbf93ef4380ad739) --- bin/tests/system/forward/ans11/ans.py | 136 ++++++++++++++++++ bin/tests/system/forward/clean.sh | 2 + bin/tests/system/forward/ns1/diditwork.net.db | 22 +++ bin/tests/system/forward/ns1/named.conf.in | 20 +++ bin/tests/system/forward/ns1/net.example.lll | 15 ++ bin/tests/system/forward/ns1/spoofed.net.db | 22 +++ bin/tests/system/forward/ns1/sub.local.net.db | 22 +++ bin/tests/system/forward/ns10/fakenet.zone | 17 +++ bin/tests/system/forward/ns10/fakenet2.zone | 15 ++ .../system/forward/ns10/fakesublocalnet.zone | 15 ++ .../system/forward/ns10/fakesublocaltld.zone | 15 ++ bin/tests/system/forward/ns10/named.conf.in | 53 +++++++ bin/tests/system/forward/ns10/net.example.lll | 15 ++ bin/tests/system/forward/ns10/spoofednet.zone | 16 +++ bin/tests/system/forward/ns2/tld.db | 6 + bin/tests/system/forward/ns4/named.conf.in | 5 + bin/tests/system/forward/ns4/sibling.tld.db | 22 +++ bin/tests/system/forward/ns8/named.conf.in | 5 + bin/tests/system/forward/ns8/sub.local.tld.db | 15 ++ bin/tests/system/forward/ns9/local.net.db | 16 +++ bin/tests/system/forward/ns9/local.tld.db | 15 ++ bin/tests/system/forward/ns9/named1.conf.in | 67 +++++++++ bin/tests/system/forward/ns9/named2.conf.in | 70 +++++++++ bin/tests/system/forward/ns9/named3.conf.in | 50 +++++++ bin/tests/system/forward/ns9/named4.conf.in | 47 ++++++ bin/tests/system/forward/ns9/root.db | 13 ++ bin/tests/system/forward/setup.sh | 2 + bin/tests/system/forward/tests.sh | 122 ++++++++++++++++ bin/tests/system/ifconfig.sh | 8 +- 29 files changed, 844 insertions(+), 4 deletions(-) create mode 100644 bin/tests/system/forward/ans11/ans.py create mode 100644 bin/tests/system/forward/ns1/diditwork.net.db create mode 100644 bin/tests/system/forward/ns1/net.example.lll create mode 100644 bin/tests/system/forward/ns1/spoofed.net.db create mode 100644 bin/tests/system/forward/ns1/sub.local.net.db create mode 100644 bin/tests/system/forward/ns10/fakenet.zone create mode 100644 bin/tests/system/forward/ns10/fakenet2.zone create mode 100644 bin/tests/system/forward/ns10/fakesublocalnet.zone create mode 100644 bin/tests/system/forward/ns10/fakesublocaltld.zone create mode 100644 bin/tests/system/forward/ns10/named.conf.in create mode 100644 bin/tests/system/forward/ns10/net.example.lll create mode 100644 bin/tests/system/forward/ns10/spoofednet.zone create mode 100644 bin/tests/system/forward/ns4/sibling.tld.db create mode 100644 bin/tests/system/forward/ns8/sub.local.tld.db create mode 100644 bin/tests/system/forward/ns9/local.net.db create mode 100644 bin/tests/system/forward/ns9/local.tld.db create mode 100644 bin/tests/system/forward/ns9/named1.conf.in create mode 100644 bin/tests/system/forward/ns9/named2.conf.in create mode 100644 bin/tests/system/forward/ns9/named3.conf.in create mode 100644 bin/tests/system/forward/ns9/named4.conf.in create mode 100644 bin/tests/system/forward/ns9/root.db diff --git a/bin/tests/system/forward/ans11/ans.py b/bin/tests/system/forward/ans11/ans.py new file mode 100644 index 0000000000..1d35b3d3f1 --- /dev/null +++ b/bin/tests/system/forward/ans11/ans.py @@ -0,0 +1,136 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +from __future__ import print_function +import os +import sys +import signal +import socket +import select +from datetime import datetime, timedelta +import time +import functools + +import dns, dns.message, dns.query, dns.flags +from dns.rdatatype import * +from dns.rdataclass import * +from dns.rcode import * +from dns.name import * + +# Log query to file +def logquery(type, qname): + with open("qlog", "a") as f: + f.write("%s %s\n", type, qname) + +############################################################################ +# Respond to a DNS query. +############################################################################ +def create_response(msg): + m = dns.message.from_wire(msg) + qname = m.question[0].name.to_text() + rrtype = m.question[0].rdtype + typename = dns.rdatatype.to_text(rrtype) + + with open("query.log", "a") as f: + f.write("%s %s\n" % (typename, qname)) + print("%s %s" % (typename, qname), end=" ") + + r = dns.message.make_response(m) + r.set_rcode(NOERROR) + if rrtype == A: + tld=qname.split('.')[-2] + '.' + ns="local." + tld + r.answer.append(dns.rrset.from_text(qname, 300, IN, A, "10.53.0.11")) + r.answer.append(dns.rrset.from_text(tld, 300, IN, NS, "local." + tld)) + r.additional.append(dns.rrset.from_text(ns, 300, IN, A, "10.53.0.11")) + elif rrtype == NS: + r.answer.append(dns.rrset.from_text(qname, 300, IN, NS, ".")) + elif rrtype == SOA: + r.answer.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) + else: + r.authority.append(dns.rrset.from_text(qname, 300, IN, SOA, ". . 0 0 0 0 0")) + r.flags |= dns.flags.AA + return r + +def sigterm(signum, frame): + print ("Shutting down now...") + os.remove('ans.pid') + running = False + sys.exit(0) + +############################################################################ +# Main +# +# Set up responder and control channel, open the pid file, and start +# the main loop, listening for queries on the query channel or commands +# on the control channel and acting on them. +############################################################################ +ip4 = "10.53.0.11" +ip6 = "fd92:7065:b8e:ffff::11" + +try: port=int(os.environ['PORT']) +except: port=5300 + +query4_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) +query4_socket.bind((ip4, port)) +havev6 = True +try: + query6_socket = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM) + try: + query6_socket.bind((ip6, port)) + except: + query6_socket.close() + havev6 = False +except: + havev6 = False +signal.signal(signal.SIGTERM, sigterm) + +f = open('ans.pid', 'w') +pid = os.getpid() +print (pid, file=f) +f.close() + +running = True + +print ("Listening on %s port %d" % (ip4, port)) +if havev6: + print ("Listening on %s port %d" % (ip6, port)) +print ("Ctrl-c to quit") + +if havev6: + input = [query4_socket, query6_socket] +else: + input = [query4_socket] + +while running: + try: + inputready, outputready, exceptready = select.select(input, [], []) + except select.error as e: + break + except socket.error as e: + break + except KeyboardInterrupt: + break + + for s in inputready: + if s == query4_socket or s == query6_socket: + print ("Query received on %s" % + (ip4 if s == query4_socket else ip6), end=" ") + # Handle incoming queries + msg = s.recvfrom(65535) + rsp = create_response(msg[0]) + if rsp: + print(dns.rcode.to_text(rsp.rcode())) + s.sendto(rsp.to_wire(), msg[1]) + else: + print("NO RESPONSE") + if not running: + break diff --git a/bin/tests/system/forward/clean.sh b/bin/tests/system/forward/clean.sh index bc04eadb2c..b65b092680 100644 --- a/bin/tests/system/forward/clean.sh +++ b/bin/tests/system/forward/clean.sh @@ -10,10 +10,12 @@ # # Clean up after forward tests. # +rm -f ./ans11/query.log rm -f ./dig.out.* rm -f ./*/named.conf rm -f ./*/named.memstats rm -f ./*/named.run ./*/named.run.prev +rm -f ./*/named_dump.db rm -f ./ns*/named.lock rm -f ./ns*/managed-keys.bind* rm -f ./ns1/root.db ./ns1/root.db.signed diff --git a/bin/tests/system/forward/ns1/diditwork.net.db b/bin/tests/system/forward/ns1/diditwork.net.db new file mode 100644 index 0000000000..fd9a46eb0c --- /dev/null +++ b/bin/tests/system/forward/ns1/diditwork.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + TXT "recursed" +ns A 10.53.0.1 diff --git a/bin/tests/system/forward/ns1/named.conf.in b/bin/tests/system/forward/ns1/named.conf.in index 4aef4e55e5..c5fb2eb172 100644 --- a/bin/tests/system/forward/ns1/named.conf.in +++ b/bin/tests/system/forward/ns1/named.conf.in @@ -63,3 +63,23 @@ zone "sld.tld" { zone "example6" { type forward; }; + +zone "diditwork.net" { + type primary; + file "diditwork.net.db"; +}; + +zone "spoofed.net" { + type primary; + file "spoofed.net.db"; +}; + +zone "sub.local.net" { + type primary; + file "sub.local.net.db"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; diff --git a/bin/tests/system/forward/ns1/net.example.lll b/bin/tests/system/forward/ns1/net.example.lll new file mode 100644 index 0000000000..ba0804fd75 --- /dev/null +++ b/bin/tests/system/forward/ns1/net.example.lll @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net.example.lll. SOA . . 0 0 0 0 0 +net.example.lll. NS attackSecureDomain.net. +didItWork.net.example.lll. TXT "if you can see this record the attack worked" diff --git a/bin/tests/system/forward/ns1/spoofed.net.db b/bin/tests/system/forward/ns1/spoofed.net.db new file mode 100644 index 0000000000..eedc46f5c0 --- /dev/null +++ b/bin/tests/system/forward/ns1/spoofed.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns +ns A 10.53.0.1 +sub TXT "recursed" diff --git a/bin/tests/system/forward/ns1/sub.local.net.db b/bin/tests/system/forward/ns1/sub.local.net.db new file mode 100644 index 0000000000..fd9a46eb0c --- /dev/null +++ b/bin/tests/system/forward/ns1/sub.local.net.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 ; 5 minutes +@ IN SOA ns root ( + 2000082401 ; serial + 1800 ; refresh (30 minutes) + 1800 ; retry (30 minutes) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns + TXT "recursed" +ns A 10.53.0.1 diff --git a/bin/tests/system/forward/ns10/fakenet.zone b/bin/tests/system/forward/ns10/fakenet.zone new file mode 100644 index 0000000000..b655a32459 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakenet.zone @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net. SOA . . 0 0 0 0 0 +net. NS attackSecureDomain.net. +attackSecureDomain.net. A 10.53.0.10 +didItWork.net. TXT "if you can see this record the attack worked" +ns.spoofed.net. A 10.53.0.10 diff --git a/bin/tests/system/forward/ns10/fakenet2.zone b/bin/tests/system/forward/ns10/fakenet2.zone new file mode 100644 index 0000000000..cd1e6e9944 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakenet2.zone @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net2. SOA . . 0 0 0 0 0 +net2. NS attackSecureDomain.net. +net2. DNAME net.example.lll. diff --git a/bin/tests/system/forward/ns10/fakesublocalnet.zone b/bin/tests/system/forward/ns10/fakesublocalnet.zone new file mode 100644 index 0000000000..160b5332b2 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakesublocalnet.zone @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +sub.local.net. SOA . . 0 0 0 0 0 +sub.local.net. NS ns.spoofed.net. +sub.local.net. TXT "if you see this attacker overrode local delegation" diff --git a/bin/tests/system/forward/ns10/fakesublocaltld.zone b/bin/tests/system/forward/ns10/fakesublocaltld.zone new file mode 100644 index 0000000000..f78cbc77f6 --- /dev/null +++ b/bin/tests/system/forward/ns10/fakesublocaltld.zone @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 +sub.local.tld. 3600 IN NS ns.sub.local.tld. +sub.local.tld. 3600 IN TXT bad +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns10/named.conf.in b/bin/tests/system/forward/ns10/named.conf.in new file mode 100644 index 0000000000..1f318dd867 --- /dev/null +++ b/bin/tests/system/forward/ns10/named.conf.in @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + minimal-responses no; +}; + +zone "net." { + type master; + file "fakenet.zone"; +}; + +zone "spoofed.net." { + type master; + file "spoofednet.zone"; +}; + +zone "sub.local.net." { + type master; + file "fakesublocalnet.zone"; +}; + +zone "net2" { + type master; + file "fakenet2.zone"; +}; + +zone "net.example.lll" { + type master; + file "net.example.lll"; +}; + +zone "sub.local.tld." { + type master; + file "fakesublocaltld.zone"; +}; diff --git a/bin/tests/system/forward/ns10/net.example.lll b/bin/tests/system/forward/ns10/net.example.lll new file mode 100644 index 0000000000..ba0804fd75 --- /dev/null +++ b/bin/tests/system/forward/ns10/net.example.lll @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +net.example.lll. SOA . . 0 0 0 0 0 +net.example.lll. NS attackSecureDomain.net. +didItWork.net.example.lll. TXT "if you can see this record the attack worked" diff --git a/bin/tests/system/forward/ns10/spoofednet.zone b/bin/tests/system/forward/ns10/spoofednet.zone new file mode 100644 index 0000000000..fb70a4372b --- /dev/null +++ b/bin/tests/system/forward/ns10/spoofednet.zone @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +spoofed.net. SOA . . 0 0 0 0 0 +spoofed.net. NS ns.spoofed.net. +ns.spoofed.net. A 10.53.0.10 +spoofed.net. TXT "this record is clearly spoofed" diff --git a/bin/tests/system/forward/ns2/tld.db b/bin/tests/system/forward/ns2/tld.db index 61b6569b07..819210dc05 100644 --- a/bin/tests/system/forward/ns2/tld.db +++ b/bin/tests/system/forward/ns2/tld.db @@ -10,3 +10,9 @@ $TTL 300 ; 5 minutes ns A 10.53.0.2 sld NS ns.sld ns.sld A 10.53.0.1 +local NS ns.local +ns.local A 10.53.0.9 +sibling NS ns.sibling +ns.sibling A 10.53.0.4 +sibling NS ns.sub.local +ns.sub.local A 10.53.0.10 diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in index 855b4bfb82..85349aa97e 100644 --- a/bin/tests/system/forward/ns4/named.conf.in +++ b/bin/tests/system/forward/ns4/named.conf.in @@ -60,3 +60,8 @@ zone "malicious." { type primary; file "malicious.db"; }; + +zone "sibling.tld" { + type primary; + file "sibling.tld.db"; +}; diff --git a/bin/tests/system/forward/ns4/sibling.tld.db b/bin/tests/system/forward/ns4/sibling.tld.db new file mode 100644 index 0000000000..fe080ae974 --- /dev/null +++ b/bin/tests/system/forward/ns4/sibling.tld.db @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 86400 +@ IN SOA malicious. admin.malicious. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL + +@ IN NS ns + +ns IN A 10.53.0.4 diff --git a/bin/tests/system/forward/ns8/named.conf.in b/bin/tests/system/forward/ns8/named.conf.in index 531ff59ece..f752eae885 100644 --- a/bin/tests/system/forward/ns8/named.conf.in +++ b/bin/tests/system/forward/ns8/named.conf.in @@ -26,3 +26,8 @@ zone "." { type hint; file "root.db"; }; + +zone "sub.local.tld" { + type primary; + file "sub.local.tld.db"; +}; diff --git a/bin/tests/system/forward/ns8/sub.local.tld.db b/bin/tests/system/forward/ns8/sub.local.tld.db new file mode 100644 index 0000000000..f2234c754e --- /dev/null +++ b/bin/tests/system/forward/ns8/sub.local.tld.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +sub.local.tld. 3600 IN SOA . . 0 0 0 0 0 +sub.local.tld. 3600 IN NS ns.sub.local.tld. +sub.local.tld. 3600 IN TXT good +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns9/local.net.db b/bin/tests/system/forward/ns9/local.net.db new file mode 100644 index 0000000000..af0d2a5a67 --- /dev/null +++ b/bin/tests/system/forward/ns9/local.net.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +local.net. 3600 IN SOA . . 0 0 0 0 0 +local.net. 3600 IN NS localhost. +ns.local.net. 3600 IN A 10.53.0.9 +txt.local.net. 3600 IN TXT "something in the local auth zone" +sub.local.net. 3600 IN NS ns.spoofed.net. ; attacker will try to override this diff --git a/bin/tests/system/forward/ns9/local.tld.db b/bin/tests/system/forward/ns9/local.tld.db new file mode 100644 index 0000000000..876a9139da --- /dev/null +++ b/bin/tests/system/forward/ns9/local.tld.db @@ -0,0 +1,15 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +local.tld. 3600 IN SOA . . 0 0 0 0 0 +local.tld. 3600 IN NS localhost. +sub.local.tld. 3600 IN NS ns.sub.local.tld. +ns.sub.local.tld. 3600 IN A 10.53.0.8 diff --git a/bin/tests/system/forward/ns9/named1.conf.in b/bin/tests/system/forward/ns9/named1.conf.in new file mode 100644 index 0000000000..be9a43842f --- /dev/null +++ b/bin/tests/system/forward/ns9/named1.conf.in @@ -0,0 +1,67 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +server 10.53.0.11 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "attacksecuredomain.net." { + type forward; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net2." { + type forward; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net3." { + type forward; + forwarders { 10.53.0.11; }; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named2.conf.in b/bin/tests/system/forward/ns9/named2.conf.in new file mode 100644 index 0000000000..2c40b42a0c --- /dev/null +++ b/bin/tests/system/forward/ns9/named2.conf.in @@ -0,0 +1,70 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +server 10.53.0.11 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "attacksecuredomain.net." { + type forward; + forward only; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net2." { + type forward; + forward only; + forwarders { 10.53.0.10; }; +}; + +zone "attacksecuredomain.net3." { + type forward; + forward only; + forwarders { 10.53.0.11; }; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named3.conf.in b/bin/tests/system/forward/ns9/named3.conf.in new file mode 100644 index 0000000000..576f57c10b --- /dev/null +++ b/bin/tests/system/forward/ns9/named3.conf.in @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; + forward only; + forwarders { 10.53.0.10; }; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "local.net." { + type primary; + file "local.net.db"; + forwarders {}; +}; diff --git a/bin/tests/system/forward/ns9/named4.conf.in b/bin/tests/system/forward/ns9/named4.conf.in new file mode 100644 index 0000000000..5cd7d84109 --- /dev/null +++ b/bin/tests/system/forward/ns9/named4.conf.in @@ -0,0 +1,47 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + dnssec-validation no; + edns-udp-size 1232; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +server 10.53.0.10 { + edns no; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "local.tld." { + type primary; + file "local.tld.db"; +}; diff --git a/bin/tests/system/forward/ns9/root.db b/bin/tests/system/forward/ns9/root.db new file mode 100644 index 0000000000..2cbdff5977 --- /dev/null +++ b/bin/tests/system/forward/ns9/root.db @@ -0,0 +1,13 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh index 21cf67b782..a56dd3c03f 100644 --- a/bin/tests/system/forward/setup.sh +++ b/bin/tests/system/forward/setup.sh @@ -19,6 +19,8 @@ copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns7/named.conf.in ns7/named.conf copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named1.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf ( cd ns1 diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index 6096b06ca7..dfbaf887f7 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -253,5 +253,127 @@ grep "status: SERVFAIL" dig.out.$n.f1 > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +# +# Check various spoofed response scenarios. The same tests will be +# run twice, with "forward first" and "forward only" configurations. +# +run_spooftests () { + n=$((n+1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +} + +echo_i "checking spoofed response scenarios with forward first zones" +run_spooftests + +copy_setports ns9/named2.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +echo_i "rechecking spoofed response scenarios with forward only zones" +run_spooftests + +# +# This scenario expects the spoofed response to succeed. The tests are +# similar to the ones above, but not identical. +# +echo_i "rechecking spoofed response scenarios with 'forward only' set globally" +copy_setports ns9/named3.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +# check 'net' is poisoned. +dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +# check 'sub.local.net' is poisoned. +dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +# check that net2/DNAME is cached +dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# This test doesn't use any forwarder clauses but is here because it +# is similar to forwarders, as the set of servers that can populate +# the namespace is defined by the zone content. +# +echo_i "rechecking spoofed response scenarios glue below local zone" +copy_setports ns9/named4.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking sibling glue below zone ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +# check for glue A record for sub.local.tld is not used +dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/ifconfig.sh b/bin/tests/system/ifconfig.sh index e078f3313b..2a4d955caf 100755 --- a/bin/tests/system/ifconfig.sh +++ b/bin/tests/system/ifconfig.sh @@ -12,10 +12,10 @@ # # Set up interface aliases for bind9 system tests. # -# IPv4: 10.53.0.{1..10} RFC 1918 +# IPv4: 10.53.0.{1..11} RFC 1918 # 10.53.1.{1..2} # 10.53.2.{1..2} -# IPv6: fd92:7065:b8e:ffff::{1..10} ULA +# IPv6: fd92:7065:b8e:ffff::{1..11} ULA # fd92:7065:b8e:99ff::{1..2} # fd92:7065:b8e:ff::{1..2} # @@ -55,7 +55,7 @@ case "$1" in 2) ipv6="00" ;; *) ipv6="" ;; esac - for ns in 1 2 3 4 5 6 7 8 9 10 + for ns in 1 2 3 4 5 6 7 8 9 10 11 do [ $i -gt 0 -a $ns -gt 2 ] && break int=`expr $i \* 10 + $ns` @@ -160,7 +160,7 @@ case "$1" in 2) ipv6="00" ;; *) ipv6="" ;; esac - for ns in 10 9 8 7 6 5 4 3 2 1 + for ns in 11 10 9 8 7 6 5 4 3 2 1 do [ $i -gt 0 -a $ns -gt 2 ] && continue int=`expr $i \* 10 + $ns - 1` -- 2.34.1