From 6da142ff7f8d48e9c4adbe80f92f63668277bfef Mon Sep 17 00:00:00 2001
From: Diego Fronza <diego@isc.org>
Date: Thu, 13 Feb 2020 20:17:13 -0300
Subject: [PATCH 1/4] Fixed rebinding protection bug when using forwarder
 setups

BIND wasn't honoring option "deny-answer-aliases" when configured to
forward queries.

Before the fix it was possible for nameservers listed in "forwarders"
option to return CNAME answers pointing to unrelated domains of the
original query, which could be used as a vector for rebinding attacks.

The fix ensures that BIND apply filters even if configured as a forwarder
instance.
---
 lib/dns/resolver.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 1ccc043117..73fc5763dc 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6985,9 +6985,15 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 
 	/*
 	 * If the target name is a subdomain of the search domain, allow it.
+	 *
+	 * Note that if BIND is configured as a forwarding DNS server, the
+	 * search domain will always match the root domain ("."), so we
+	 * must also check whether forwarding is enabled so that filters
+	 * can be applied; see GL #1574.
 	 */
-	if (dns_name_issubdomain(tname, &fctx->domain))
+	if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
 		return (true);
+	}
 
 	/*
 	 * Otherwise, apply filters.

From 64c3c57b59670d17788191b047a561fb2397b9c4 Mon Sep 17 00:00:00 2001
From: Diego Fronza <diego@isc.org>
Date: Thu, 13 Feb 2020 20:35:25 -0300
Subject: [PATCH 2/4] Add test for the proposed fix

This test asserts that option "deny-answer-aliases" works correctly
when forwarding requests.

As a matter of example, the behavior expected for a forwarder BIND
instance, having an option such as deny-answer-aliases { "domain"; }
is that when forwarding a request for *.anything-but-domain, it is
expected that it will return SERVFAIL if any answer received has a CNAME
for "*.domain".
---
 bin/tests/system/forward/ns4/malicious.db  | 13 +++++++++++++
 bin/tests/system/forward/ns4/named.conf.in |  5 +++++
 bin/tests/system/forward/ns5/named.conf.in |  6 ++++++
 bin/tests/system/forward/ns5/rebind.db     | 13 +++++++++++++
 bin/tests/system/forward/tests.sh          | 13 +++++++++++++
 5 files changed, 50 insertions(+)
 create mode 100644 bin/tests/system/forward/ns4/malicious.db
 create mode 100644 bin/tests/system/forward/ns5/rebind.db

diff --git a/bin/tests/system/forward/ns4/malicious.db b/bin/tests/system/forward/ns4/malicious.db
new file mode 100644
index 0000000000..f0b4b9cc6f
--- /dev/null
+++ b/bin/tests/system/forward/ns4/malicious.db
@@ -0,0 +1,13 @@
+$TTL    86400
+@       IN      SOA     malicious. admin.malicious. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS      ns
+
+ns          IN    A       10.53.0.4
+
+target      IN    CNAME   subdomain.rebind.
diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
index 643e1271b5..fee76b41e5 100644
--- a/bin/tests/system/forward/ns4/named.conf.in
+++ b/bin/tests/system/forward/ns4/named.conf.in
@@ -55,3 +55,8 @@ zone "grafted" {
 	forward only;
 	forwarders { 10.53.0.2; };
 };
+
+zone "malicious." {
+	type master;
+	file "malicious.db";
+};
diff --git a/bin/tests/system/forward/ns5/named.conf.in b/bin/tests/system/forward/ns5/named.conf.in
index f86de1a424..6742222d4d 100644
--- a/bin/tests/system/forward/ns5/named.conf.in
+++ b/bin/tests/system/forward/ns5/named.conf.in
@@ -19,6 +19,7 @@ options {
 	listen-on-v6 { none; };
 	forward only;
 	forwarders { 10.53.0.4; };
+	deny-answer-aliases { "rebind"; };
 	dnssec-validation yes;
 };
 
@@ -26,3 +27,8 @@ zone "." {
 	type hint;
 	file "root.db";
 };
+
+zone "rebind" {
+	type master;
+	file "rebind.db";
+};
diff --git a/bin/tests/system/forward/ns5/rebind.db b/bin/tests/system/forward/ns5/rebind.db
new file mode 100644
index 0000000000..4741e8c4c3
--- /dev/null
+++ b/bin/tests/system/forward/ns5/rebind.db
@@ -0,0 +1,13 @@
+$TTL    86400
+@       IN      SOA     rebind. admin.rebind. (
+                              1         ; Serial
+                         604800         ; Refresh
+                          86400         ; Retry
+                        2419200         ; Expire
+                          86400 )       ; Negative Cache TTL
+
+@           IN    NS    ns
+
+ns          IN    A     10.53.0.5
+
+subdomain   IN    A     10.53.0.1
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
index d76cd59217..fc3822cfb6 100644
--- a/bin/tests/system/forward/tests.sh
+++ b/bin/tests/system/forward/tests.sh
@@ -217,5 +217,18 @@ grep "status: NOERROR" dig.out.$n.f8 > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "checking that rebinding protection works in forward only mode ($n)"
+ret=0
+# 10.53.0.5 will forward target.malicious. query to 10.53.0.4
+# which in turn will return a CNAME for subdomain.rebind.
+# to honor the option deny-answer-aliases { "rebind"; };
+# ns5 should return a SERVFAIL to avoid potential rebinding attacks
+dig_with_opts +noadd +noauth @10.53.0.5 target.malicious. > dig.out.$n || ret=1
+grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

From d13a505d40b22e38bdfa4c99b5613460e2920f12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 8 Apr 2020 08:56:26 +0200
Subject: [PATCH 3/4] Add CHANGES

---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index 912e0018fe..fc005b8a55 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5376.	[bug]		Fix DNS ineffective rebinding protection when BIND 9
+			is configured as a forwarding DNS server. [GL #1574]
+			(Thanks to Tobias Klein)
+
 5358.	[bug]		Inline master zones whose master files were touched
 			but otherwise unchanged and were subsequently reloaded
 			may have stopped re-signing. [GL !3135]

From 163cc168e5096d9d2475dfea786d9ec471ab7fd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 8 Apr 2020 08:58:53 +0200
Subject: [PATCH 4/4] Add release notes

---
 doc/arm/notes-9.14.12.xml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/doc/arm/notes-9.14.12.xml b/doc/arm/notes-9.14.12.xml
index e0f96ed5c6..68130aa4ad 100644
--- a/doc/arm/notes-9.14.12.xml
+++ b/doc/arm/notes-9.14.12.xml
@@ -11,6 +11,18 @@
 
 <section xml:id="relnotes-9.14.12"><info><title>Notes for BIND 9.14.12</title></info>
 
+  <section xml:id="relnotes-9.14.12-security"><info><title>Security Fixes</title></info>
+    <itemizedlist>
+      <listitem>
+        <para>
+	  DNS rebinding protection was ineffective when BIND 9 is configured as
+	  a forwarding DNS server.  Found and responsibly reported by Tobias
+	  Klein.  [GL #1574]
+        </para>
+      </listitem>
+    </itemizedlist>
+  </section>
+
   <section xml:id="relnotes-9.14.12-bugs"><info><title>Bug Fixes</title></info>
     <itemizedlist>
       <listitem>