From: Wouter Wijngaards Date: Tue, 25 Mar 2008 14:03:31 +0000 (+0000) Subject: Enforce presence of query section in reply. X-Git-Tag: release-0.11~52 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87700fea40d7bf42dc46703ede9f6c14267247af;p=thirdparty%2Funbound.git Enforce presence of query section in reply. git-svn-id: file:///svn/unbound/trunk@1018 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index a79724e4c..06f00cebb 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,13 @@ +25 March 2008: Wouter + - implemented check that for NXDOMAIN and NOERROR answers a query + section must be present in the reply (by the scrubber). And it must + be equal to the question sent, at least lowercase folded. + Previously this feature happened because the cache code refused + to store such messages. However blocking by the scrubber makes + sure nothing gets into the RRset cache. Also, this looks like a + timeout (instead of an allocation failure) and this retries are + done (which is useful in a spoofing situation). + 7 March 2008: Wouter - -C config feature for harvest program. - harvest handles CNAMEs too. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index eedbfcb4d..6be71cff9 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -564,6 +564,14 @@ scrub_message(ldns_buffer* pkt, struct msg_parse* msg, if( !(msg->flags&BIT_QR) ) return 0; + /* make sure that a query is echoed back when NOERROR or NXDOMAIN */ + /* this is not required for basic operation but is a forgery + * resistance (security) feature */ + if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR || + FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) && + msg->qdcount == 0) + return 0; + /* if a query is echoed back, make sure it is correct. Otherwise, * this may be not a reply to our query. */ if(msg->qdcount == 1) { diff --git a/testdata/iter_req_qname.rpl b/testdata/iter_req_qname.rpl new file mode 100644 index 000000000..3bdaac257 --- /dev/null +++ b/testdata/iter_req_qname.rpl @@ -0,0 +1,91 @@ +; config options +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test a query name in the reply is required by resolver + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +; always the same reply since we cannot match anything from the qsection. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +; no query section! +; www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. + +; the query name is echoed properly to *our* client +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +SCENARIO_END