Merge branch '1574-confidential-issue-rebinding-protection-fail-in-forwarding-mode-master' into 'master'

Resolve "DNS rebinding protection is ineffective when BIND is configured as a forwarding DNS server"

Closes #1574

See merge request isc-projects/bind9!3342

CHANGES

@@ -1,3 +1,7 @@
+5376.	[bug]		Fix DNS ineffective rebinding protection when BIND 9
+			is configured as a forwarding DNS server. [GL #1574]
+			(Thanks to Tobias Klein)
+
 5375.	[test]		Fix timing issue in kasp test. [GL #1669]
 
 5374.	[bug]		Statistics counters counting recursive clients and

bin/tests/system/forward/ns4/malicious.db

@@ -0,0 +1,13 @@
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4
+
+target      IN    CNAME   subdomain.rebind.

bin/tests/system/forward/ns4/named.conf.in

@@ -55,3 +55,8 @@ zone "grafted" {
 	forward only;
 	forwarders { 10.53.0.2; };
 };
+
+zone "malicious." {
+	type master;
+	file "malicious.db";
+};

bin/tests/system/forward/ns5/named.conf.in

@@ -19,6 +19,7 @@ options {
 	listen-on-v6 { none; };
 	forward only;
 	forwarders { 10.53.0.4; };
+	deny-answer-aliases { "rebind"; };
 	dnssec-validation yes;
 };
 
@@ -26,3 +27,8 @@ zone "." {
 	type hint;
 	file "root.db";
 };
+
+zone "rebind" {
+	type master;
+	file "rebind.db";
+};

bin/tests/system/forward/ns5/rebind.db

@@ -0,0 +1,13 @@
+$TTL    86400
+@       IN      SOA     rebind. admin.rebind. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS    ns
+
+ns          IN    A     10.53.0.5
+
+subdomain   IN    A     10.53.0.1

bin/tests/system/forward/tests.sh

@@ -218,5 +218,18 @@ grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "checking that rebinding protection works in forward only mode ($n)"
+ret=0
+# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
+# which in turn will return a CNAME for subdomain.rebind.
+# to honor the option deny-answer-aliases { "rebind"; };
+# ns5 should return a SERVFAIL to avoid potential rebinding attacks
+dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

doc/arm/notes-9.17.1.xml

@@ -15,7 +15,9 @@
     <itemizedlist>
       <listitem>
         <para>
-	  None.
+	  DNS rebinding protection was ineffective when BIND 9 is configured as
+	  a forwarding DNS server.  Found and responsibly reported by Tobias
+	  Klein.  [GL #1574]
         </para>
       </listitem>
     </itemizedlist>

lib/dns/resolver.c

@@ -7115,8 +7115,13 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 
 	/*
 	 * If the target name is a subdomain of the search domain, allow it.
+	 *
+	 * Note that if BIND is configured as a forwarding DNS server, the
+	 * search domain will always match the root domain ("."), so we
+	 * must also check whether forwarding is enabled so that filters
+	 * can be applied; see GL #1574.
 	 */
-	if (dns_name_issubdomain(tname, &fctx->domain)) {
+	if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
 		return (true);
 	}