upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Enforce presence of query section in reply.

Browse source 
git-svn-id: file:///svn/unbound/trunk@1018 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2008-03-25 14:03:31 +00:00
parent bbe801da93
commit 87700fea40
3 changed files with 109 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
doc/Changelog
View file

@ -1,3 +1,13 @@
25 March 2008: Wouter
- implemented check that for NXDOMAIN and NOERROR answers a query
section must be present in the reply (by the scrubber). And it must
be equal to the question sent, at least lowercase folded.
Previously this feature happened because the cache code refused
to store such messages. However blocking by the scrubber makes
sure nothing gets into the RRset cache. Also, this looks like a
timeout (instead of an allocation failure) and this retries are
done (which is useful in a spoofing situation).
7 March 2008: Wouter 7 March 2008: Wouter
- -C config feature for harvest program. - -C config feature for harvest program.
- harvest handles CNAMEs too. - harvest handles CNAMEs too.

8
iterator/iter_scrub.c
View file

@ -564,6 +564,14 @@ scrub_message(ldns_buffer* pkt, struct msg_parse* msg,
if( !(msg->flags&BIT_QR) ) if( !(msg->flags&BIT_QR) )
return 0; return 0;
/* make sure that a query is echoed back when NOERROR or NXDOMAIN */
/* this is not required for basic operation but is a forgery
* resistance (security) feature */
if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR ||
FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) &&
msg->qdcount == 0)
return 0;
/* if a query is echoed back, make sure it is correct. Otherwise, /* if a query is echoed back, make sure it is correct. Otherwise,
* this may be not a reply to our query. */ * this may be not a reply to our query. */
if(msg->qdcount == 1) { if(msg->qdcount == 1) {

91
testdata/iter_req_qname.rpl vendored Normal file
View file

@ -0,0 +1,91 @@
; config options
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test a query name in the reply is required by resolver
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 100
ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END
; ns.example.com.
; always the same reply since we cannot match anything from the qsection.
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
; no query section!
; www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; recursion happens here.
; the query name is echoed properly to *our* client
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA SERVFAIL
SECTION QUESTION
www.example.com. IN A
ENTRY_END
SCENARIO_END