upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-03 20:29:28 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
unbound/testdata/iter_scrub_promiscuous.rpl
Yorgos Thessalonikefs f6269baa60 - Additional fix for CVE-2025-11411 (possible domain hijacking attack), 
to include YXDOMAIN and non-referral nodata answers in the mitigation as
  well, reported by TaoFei Guo from Peking University, Yang Luo and JianJun
  Chen from Tsinghua University.
2025-11-26 11:09:40 +01:00

457 lines
8.5 KiB
Text
Raw Blame History

; config options
server:
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: no
iter-scrub-promiscuous: yes
stub-zone:
name: "."
stub-addr: 1.2.3.0 # ns.root
CONFIG_END
SCENARIO_BEGIN Test iterator with scrub of promiscuous records
; The test queries receive spoofed answers. The check queries see if
; the record is returned by the original server or by a spoofed source.
; The test domains are pollute1.mesa, pollute2.mesa and pollute3.mesa.
; The spoofed contents are ns.attacker.mesa and its IPs 5.6.7.8 and 5.6.7.9.
; The pollute1.mesa NS, ns.pollute2.mesa A, and test3.atkr.pollute3.mesa NS
; with ns.pollute3.mesa A records are tested for cache placement.
; pollute4.mesa uses YXDOMAIN.
; ns.root
RANGE_BEGIN 0 400
ADDRESS 1.2.3.0
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS NS.ROOT.
SECTION ADDITIONAL
NS.ROOT. IN A 1.2.3.0
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
mesa. IN NS
SECTION AUTHORITY
mesa. IN NS ns.mesa.
SECTION ADDITIONAL
ns.mesa. IN A 1.2.7.7
ENTRY_END
RANGE_END
; ns.mesa
RANGE_BEGIN 0 400
ADDRESS 1.2.7.7
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
pollute1.mesa. IN NS
SECTION AUTHORITY
pollute1.mesa. IN NS ns.pollute1.mesa.
SECTION ADDITIONAL
ns.pollute1.mesa. IN A 1.2.4.1
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
pollute2.mesa. IN NS
SECTION AUTHORITY
pollute2.mesa. IN NS ns.pollute2.mesa.
SECTION ADDITIONAL
ns.pollute2.mesa. IN A 1.2.4.2
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
pollute3.mesa. IN NS
SECTION AUTHORITY
pollute3.mesa. IN NS ns.pollute3.mesa.
SECTION ADDITIONAL
ns.pollute3.mesa. IN A 1.2.4.3
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
pollute4.mesa. IN NS
SECTION AUTHORITY
pollute4.mesa. IN NS ns.pollute4.mesa.
SECTION ADDITIONAL
ns.pollute4.mesa. IN A 1.2.4.4
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
attacker.mesa. IN NS
SECTION AUTHORITY
attacker.mesa. IN NS ns.attacker.mesa.
SECTION ADDITIONAL
ns.attacker.mesa. IN A 5.6.7.8
ENTRY_END
RANGE_END
; ns.pollute1.mesa
RANGE_BEGIN 0 400
ADDRESS 1.2.4.1
; This is the spoofed answer that is returned.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
test1.atkr.pollute1.mesa. IN A
SECTION ANSWER
test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4
SECTION AUTHORITY
pollute1.mesa. 86400 IN NS ns.attacker.mesa.
ENTRY_END
; correct answer for the check query.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
check.pollute1.mesa. IN A
SECTION ANSWER
check.pollute1.mesa. IN A 1.8.9.1
ENTRY_END
RANGE_END
; ns.pollute2.mesa
RANGE_BEGIN 0 400
ADDRESS 1.2.4.2
; This is the spoofed answer that is returned.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
test2.atkr.pollute2.mesa. IN A
SECTION ANSWER
test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4
SECTION AUTHORITY
pollute2.mesa. 86400 IN NS ns.pollute2.mesa.
SECTION ADDITIONAL
ns.pollute2.mesa. 86400 IN A 5.6.7.8
ENTRY_END
; correct answer for the check query.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
check.pollute2.mesa. IN A
SECTION ANSWER
check.pollute2.mesa. IN A 1.8.9.2
ENTRY_END
RANGE_END
; ns.pollute3.mesa
RANGE_BEGIN 0 400
ADDRESS 1.2.4.3
; This is the spoofed answer that is returned.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
test3.atkr.pollute3.mesa. IN A
SECTION ANSWER
test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4
SECTION AUTHORITY
test3.atkr.pollute3.mesa. 86400 IN NS ns.pollute3.mesa.
SECTION ADDITIONAL
ns.pollute3.mesa. 86400 IN A 5.6.7.8
ENTRY_END
; correct answer for the check query.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
check.pollute3.mesa. IN A
SECTION ANSWER
check.pollute3.mesa. IN A 1.8.9.3
ENTRY_END
RANGE_END
; ns.pollute4.mesa
RANGE_BEGIN 0 400
ADDRESS 1.2.4.4
; This is the spoofed answer that is returned.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA YXDOMAIN
SECTION QUESTION
test4.atkr.pollute4.mesa. IN A
SECTION ANSWER
test4.atkr.pollute4.mesa. 86400 IN A 1.2.3.4
SECTION AUTHORITY
pollute4.mesa. 86400 IN NS ns.attacker.mesa.
ENTRY_END
; correct answer for the check query.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
check.pollute4.mesa. IN A
SECTION ANSWER
check.pollute4.mesa. IN A 1.8.9.4
ENTRY_END
RANGE_END
; ns.attacker.mesa
RANGE_BEGIN 0 400
ADDRESS 5.6.7.8
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.attacker.mesa. IN A
SECTION ANSWER
ns.attacker.mesa. 86400 IN A 5.6.7.8
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.attacker.mesa. IN AAAA
SECTION AUTHORITY
attacker.mesa. 3600 IN SOA ns.attacker.mesa. root.attacker.mesa. 4 7200 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.attacker.mesa. IN A
SECTION ANSWER
ns.attacker.mesa. 86400 IN A 5.6.7.8
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
check.pollute1.mesa. IN A
SECTION ANSWER
check.pollute1.mesa. 86400 IN A 5.6.7.9
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
check.pollute2.mesa. IN A
SECTION ANSWER
check.pollute2.mesa. 86400 IN A 5.6.7.9
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
check.pollute3.mesa. IN A
SECTION ANSWER
check.pollute3.mesa. 86400 IN A 5.6.7.9
ENTRY_END
RANGE_END
; Test query 1
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test1.atkr.pollute1.mesa. IN A
ENTRY_END
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
test1.atkr.pollute1.mesa. IN A
SECTION ANSWER
test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4
ENTRY_END
; Test query 2
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test2.atkr.pollute2.mesa. IN A
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
test2.atkr.pollute2.mesa. IN A
SECTION ANSWER
test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4
ENTRY_END
; Test query 3
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test3.atkr.pollute3.mesa. IN A
ENTRY_END
STEP 50 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
test3.atkr.pollute3.mesa. IN A
SECTION ANSWER
test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4
ENTRY_END
; Check the cache contents, for query 1.
STEP 60 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
check.pollute1.mesa. IN A
ENTRY_END
STEP 70 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
check.pollute1.mesa. IN A
SECTION ANSWER
; good answer
check.pollute1.mesa. IN A 1.8.9.1
; bad answer
;check.pollute1.mesa. IN A 5.6.7.9
ENTRY_END
; Check the cache contents, for query 2.
STEP 80 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
check.pollute2.mesa. IN A
ENTRY_END
STEP 90 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
check.pollute2.mesa. IN A
SECTION ANSWER
; good answer
check.pollute2.mesa. IN A 1.8.9.2
; bad answer
;check.pollute2.mesa. IN A 5.6.7.9
ENTRY_END
; Check the cache contents, for query 3.
STEP 100 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
check.pollute3.mesa. IN A
ENTRY_END
STEP 110 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
check.pollute3.mesa. IN A
SECTION ANSWER
; good answer
check.pollute3.mesa. IN A 1.8.9.3
; bad answer
;check.pollute3.mesa. IN A 5.6.7.9
ENTRY_END
; Test query 4
STEP 120 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test4.atkr.pollute4.mesa. IN A
ENTRY_END
STEP 130 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA YXDOMAIN
SECTION QUESTION
test4.atkr.pollute4.mesa. IN A
SECTION ANSWER
test4.atkr.pollute4.mesa. 86400 IN A 1.2.3.4
SECTION AUTHORITY
; removed record
;pollute4.mesa. 0 IN NS ns.attacker.mesa.
ENTRY_END
; Check the cache contents, for query 4.
STEP 140 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
check.pollute4.mesa. IN A
ENTRY_END
STEP 150 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
check.pollute4.mesa. IN A
SECTION ANSWER
; good answer
check.pollute4.mesa. IN A 1.8.9.4
; bad answer
;check.pollute4.mesa. IN A 5.6.7.9
ENTRY_END
SCENARIO_END
Reference in a new issue View git blame Copy permalink