upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 07:09:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Test that fake child delegation cannot overwrite parent's glue RR

Browse source 
In short, the attacker tries to spoof at least one answer that has the
following form:

    rcode NOERROR
    flags QR
    ;QUESTION
    trigger$RANDOM.victim. IN TXT
    ;ANSWER
    ;AUTHORITY
    trigger$RANDOM.victim. 3600 IN NS ns.victim.
    ;ADDITIONAL
    ns.victim. 3600 IN A 10.53.0.3

This attack was originally reported as "test case 2".

Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit b5dc46fe6e)
This commit is contained in:
Petr Špaček 2025-07-23 20:26:43 +02:00 committed by Michał Kępień (GitLab job 6660033)
parent ae0afc1d42
commit 6b315c08eb
2 changed files with 37 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
bin/tests/system/bailiwick/ans2/ans.py
View file

@ -55,6 +55,28 @@ class UnsolicitedNsSpoofer(ResponseSpoofer, mode="unsolicited-ns"):
yield DnsResponseSend(response, authoritative=True)
class ParentGlueSpoofer(ResponseSpoofer, mode="parent-glue"):
qname = "trigger.victim."
async def get_responses(
self, qctx: QueryContext
) -> AsyncGenerator[ResponseAction, None]:
response = qctx.prepare_new_response(with_zone_data=False)
ns_rrset = dns.rrset.from_text(
"trigger.victim.", TTL, qctx.qclass, dns.rdatatype.NS, "ns.victim."
)
response.authority.append(ns_rrset)
glue_rrset = dns.rrset.from_text(
"ns.victim.", TTL, qctx.qclass, dns.rdatatype.A, ATTACKER_IP
)
response.additional.append(glue_rrset)
yield DnsResponseSend(response, authoritative=False)
def main() -> None:
spoofing_server().run()

15
bin/tests/system/bailiwick/tests_bailiwick.py
View file

@ -11,6 +11,8 @@
from typing import Dict
import time
import dns.message
import pytest
@ -94,3 +96,16 @@ def test_bailiwick_unsolicited_authority(servers: Dict[str, NamedInstance]) -> N
prime_cache(ns4)
send_trigger_query(ns4, "trigger.victim.")
check_domain_hijack(ns4)
def test_bailiwick_parent_glue(servers: Dict[str, NamedInstance]) -> None:
set_spoofing_mode(ans1="none", ans2="parent-glue")
ns4 = servers["ns4"]
prime_cache(ns4)
send_trigger_query(ns4, "trigger.victim.")
isctest.log.info("Waiting 61 seconds for the ns.victim. ADB entry to expire")
time.sleep(61)
check_domain_hijack(ns4)