upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '1574-confidential-issue-rebinding-protection-fail-in-forwarding-mode-v9_14' into 'v9_14'

Browse source 
Resolve "DNS rebinding protection is ineffective when BIND is configured as a forwarding DNS server"

See merge request isc-projects/bind9!3344
This commit is contained in:
Ondřej Surý 2020-04-08 09:04:30 +00:00
commit 546af0511a
8 changed files with 73 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,3 +1,7 @@
5376. [bug] Fix DNS ineffective rebinding protection when BIND 9
is configured as a forwarding DNS server. [GL #1574]
(Thanks to Tobias Klein)
5358. [bug] Inline master zones whose master files were touched
but otherwise unchanged and were subsequently reloaded
may have stopped re-signing. [GL !3135]

13
bin/tests/system/forward/ns4/malicious.db Normal file
View file

@ -0,0 +1,13 @@
$TTL 86400
@ IN SOA malicious. admin.malicious. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns
ns IN A 10.53.0.4
target IN CNAME subdomain.rebind.

5
bin/tests/system/forward/ns4/named.conf.in
View file

@ -55,3 +55,8 @@ zone "grafted" {
forward only;
forwarders { 10.53.0.2; };
};
zone "malicious." {
type master;
file "malicious.db";
};

6
bin/tests/system/forward/ns5/named.conf.in
View file

@ -19,6 +19,7 @@ options {
listen-on-v6 { none; };
forward only;
forwarders { 10.53.0.4; };
deny-answer-aliases { "rebind"; };
dnssec-validation yes;
};
@ -26,3 +27,8 @@ zone "." {
type hint;
file "root.db";
};
zone "rebind" {
type master;
file "rebind.db";
};

13
bin/tests/system/forward/ns5/rebind.db Normal file
View file

@ -0,0 +1,13 @@
$TTL 86400
@ IN SOA rebind. admin.rebind. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
@ IN NS ns
ns IN A 10.53.0.5
subdomain IN A 10.53.0.1

13
bin/tests/system/forward/tests.sh
View file

@ -217,5 +217,18 @@ grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
n=$((n+1))
echo_i "checking that rebinding protection works in forward only mode ($n)"
ret=0
# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
# which in turn will return a CNAME for subdomain.rebind.
# to honor the option deny-answer-aliases { "rebind"; };
# ns5 should return a SERVFAIL to avoid potential rebinding attacks
dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status+ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

12
doc/arm/notes-9.14.12.xml
View file

@ -11,6 +11,18 @@
<section xml:id="relnotes-9.14.12"><info><title>Notes for BIND 9.14.12</title></info>
<section xml:id="relnotes-9.14.12-security"><info><title>Security Fixes</title></info>
<itemizedlist>
<listitem>
<para>
DNS rebinding protection was ineffective when BIND 9 is configured as
a forwarding DNS server. Found and responsibly reported by Tobias
Klein. [GL #1574]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes-9.14.12-bugs"><info><title>Bug Fixes</title></info>
<itemizedlist>
<listitem>

8
lib/dns/resolver.c
View file

@ -6985,9 +6985,15 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
/*
* If the target name is a subdomain of the search domain, allow it.
*
* Note that if BIND is configured as a forwarding DNS server, the
* search domain will always match the root domain ("."), so we
* must also check whether forwarding is enabled so that filters
* can be applied; see GL #1574.
*/
if (dns_name_issubdomain(tname, &fctx->domain))
if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
return (true);
}
/*
* Otherwise, apply filters.