From cf7b0de1eb98df64573002ada3d604a1beac2662 Mon Sep 17 00:00:00 2001
From: Diego Fronza <diego@isc.org>
Date: Thu, 13 Feb 2020 20:17:13 -0300
Subject: [PATCH 1/4] Fixed rebinding protection bug when using forwarder
 setups

BIND wasn't honoring option "deny-answer-aliases" when configured to
forward queries.

Before the fix it was possible for nameservers listed in "forwarders"
option to return CNAME answers pointing to unrelated domains of the
original query, which could be used as a vector for rebinding attacks.

The fix ensures that BIND apply filters even if configured as a forwarder
instance.

(cherry picked from commit af6a4de3d5ad6c1967173facf366e6c86b3ffc28)
---
 lib/dns/resolver.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 51bc368bf6..645a3e12cb 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7115,8 +7115,13 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 
 	/*
 	 * If the target name is a subdomain of the search domain, allow it.
+	 *
+	 * Note that if BIND is configured as a forwarding DNS server, the
+	 * search domain will always match the root domain ("."), so we
+	 * must also check whether forwarding is enabled so that filters
+	 * can be applied; see GL #1574.
 	 */
-	if (dns_name_issubdomain(tname, &fctx->domain)) {
+	if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
 		return (true);
 	}
 

From eb7a66427467c22df28233f40ac4e437fbba10f3 Mon Sep 17 00:00:00 2001
From: Diego Fronza <diego@isc.org>
Date: Thu, 13 Feb 2020 20:35:25 -0300
Subject: [PATCH 2/4] Add test for the proposed fix

This test asserts that option "deny-answer-aliases" works correctly
when forwarding requests.

As a matter of example, the behavior expected for a forwarder BIND
instance, having an option such as deny-answer-aliases { "domain"; }
is that when forwarding a request for *.anything-but-domain, it is
expected that it will return SERVFAIL if any answer received has a CNAME
for "*.domain".

(cherry picked from commit 9bdb960a16a69997b08746e698b6b02c8dc6c795)
---
 bin/tests/system/forward/ns4/malicious.db  | 13 +++++++++++++
 bin/tests/system/forward/ns4/named.conf.in |  5 +++++
 bin/tests/system/forward/ns5/named.conf.in |  6 ++++++
 bin/tests/system/forward/ns5/rebind.db     | 13 +++++++++++++
 bin/tests/system/forward/tests.sh          | 13 +++++++++++++
 5 files changed, 50 insertions(+)
 create mode 100644 bin/tests/system/forward/ns4/malicious.db
 create mode 100644 bin/tests/system/forward/ns5/rebind.db

diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db
new file mode 100644
index 0000000000..f0b4b9cc6f
--- /dev/null
+++ b/bin/tests/system/forward/ns4/malicious.db
@@ -0,0 +1,13 @@
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4
+
+target      IN    CNAME   subdomain.rebind.
diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
index 643e1271b5..fee76b41e5 100644
--- a/bin/tests/system/forward/ns4/named.conf.in
+++ b/bin/tests/system/forward/ns4/named.conf.in
@@ -55,3 +55,8 @@ zone "grafted" {
 	forward only;
 	forwarders { 10.53.0.2; };
 };
+
+zone "malicious." {
+	type master;
+	file "malicious.db";
+};
diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in
index f86de1a424..6742222d4d 100644
--- a/bin/tests/system/forward/ns5/named.conf.in
+++ b/bin/tests/system/forward/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	listen-on-v6 { none; };
 	forward only;
 	forwarders { 10.53.0.4; };
+	deny-answer-aliases { "rebind"; };
 	dnssec-validation yes;
 };
 
@@ -26,3 +27,8 @@ zone "." {
 	type hint;
 	file "root.db";
 };
+
+zone "rebind" {
+	type master;
+	file "rebind.db";
+};
diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db
new file mode 100644
index 0000000000..4741e8c4c3
--- /dev/null
+++ b/bin/tests/system/forward/ns5/rebind.db
@@ -0,0 +1,13 @@
+$TTL    86400
+@       IN      SOA     rebind. admin.rebind. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS    ns
+
+ns          IN    A     10.53.0.5
+
+subdomain   IN    A     10.53.0.1
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
index 7ecd38b210..bbfaa10243 100644
--- a/bin/tests/system/forward/tests.sh
+++ b/bin/tests/system/forward/tests.sh
@@ -218,5 +218,18 @@ grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "checking that rebinding protection works in forward only mode ($n)"
+ret=0
+# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
+# which in turn will return a CNAME for subdomain.rebind.
+# to honor the option deny-answer-aliases { "rebind"; };
+# ns5 should return a SERVFAIL to avoid potential rebinding attacks
+dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

From f15653454edc4470d4a7d5dbfee6c71bb7d791cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 8 Apr 2020 08:56:26 +0200
Subject: [PATCH 3/4] Add CHANGES

---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index 3c771b5e6c..21d1744e6d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5376.	[bug]		Fix DNS ineffective rebinding protection when BIND 9
+			is configured as a forwarding DNS server. [GL #1574]
+			(Thanks to Tobias Klein)
+
 5375.	[test]		Fix timing issue in kasp test. [GL #1669]
 
 5374.	[bug]		Statistics counters counting recursive clients and

From 157f2da8370cced1f4735fa9cc21f92033cf4e88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 8 Apr 2020 08:58:53 +0200
Subject: [PATCH 4/4] Add release notes

---
 doc/arm/notes-9.17.1.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/arm/notes-9.17.1.xml b/doc/arm/notes-9.17.1.xml
index b807089039..65b5bfb6e2 100644
--- a/doc/arm/notes-9.17.1.xml
+++ b/doc/arm/notes-9.17.1.xml
@@ -15,7 +15,9 @@
     <itemizedlist>
       <listitem>
         <para>
-	  None.
+	  DNS rebinding protection was ineffective when BIND 9 is configured as
+	  a forwarding DNS server.  Found and responsibly reported by Tobias
+	  Klein.  [GL #1574]
         </para>
       </listitem>
     </itemizedlist>