From 39b5f5bbc640a824ca6820b352c77932abf29a36 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Thu, 15 Jun 2017 07:59:05 +0000 Subject: [PATCH] - Fix stub zone queries leaking to the internet for harden-referral-path ns checks. git-svn-id: file:///svn/unbound/trunk@4226 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 4 ++++ iterator/iterator.c | 57 ++++++++++++++++++++++++--------------------- 2 files changed, 34 insertions(+), 27 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 4ecb5ffbf..e78cf6e9b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +15 June 2017: Wouter + - Fix stub zone queries leaking to the internet for + harden-referral-path ns checks. + 13 June 2017: Wouter - Fix #1279: Memory leak on reload when python module is enabled. - Fix #1280: Unbound fails assert when response from authoritative diff --git a/iterator/iterator.c b/iterator/iterator.c index a57fa3b65..2c981628b 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -525,6 +525,33 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq, return 1; } +/** see if last resort is possible - does config allow queries to parent */ +static int +can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen, + uint16_t qclass) +{ + struct delegpt* fwddp; + struct iter_hints_stub* stub; + int labs = dname_count_labels(nm); + /* do not process a last resort (the parent side) if a stub + * or forward is configured, because we do not want to go 'above' + * the configured servers */ + if(!dname_is_root(nm) && (stub = (struct iter_hints_stub*) + name_tree_find(&env->hints->tree, nm, nmlen, labs, qclass)) && + /* has_parent side is turned off for stub_first, where we + * are allowed to go to the parent */ + stub->dp->has_parent_side_NS) { + return 0; + } + if((fwddp = forwards_find(env->fwds, nm, qclass)) && + /* has_parent_side is turned off for forward_first, where + * we are allowed to go to the parent */ + fwddp->has_parent_side_NS) { + return 0; + } + return 1; +} + /** see if target name is caps-for-id whitelisted */ static int is_caps_whitelisted(struct iter_env* ie, struct iter_qstate* iq) @@ -869,6 +896,9 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id) if(iq->depth == ie->max_dependency_depth) return; + if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen, + iq->qchase.qclass)) + return; /* is this query the same as the nscheck? */ if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS && query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 && @@ -1574,33 +1604,6 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq, return 1; } -/** see if last resort is possible - does config allow queries to parent */ -static int -can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen, - uint16_t qclass) -{ - struct delegpt* fwddp; - struct iter_hints_stub* stub; - int labs = dname_count_labels(nm); - /* do not process a last resort (the parent side) if a stub - * or forward is configured, because we do not want to go 'above' - * the configured servers */ - if(!dname_is_root(nm) && (stub = (struct iter_hints_stub*) - name_tree_find(&env->hints->tree, nm, nmlen, labs, qclass)) && - /* has_parent side is turned off for stub_first, where we - * are allowed to go to the parent */ - stub->dp->has_parent_side_NS) { - return 0; - } - if((fwddp = forwards_find(env->fwds, nm, qclass)) && - /* has_parent_side is turned off for forward_first, where - * we are allowed to go to the parent */ - fwddp->has_parent_side_NS) { - return 0; - } - return 1; -} - /** * Called by processQueryTargets when it would like extra targets to query * but it seems to be out of options. At last resort some less appealing