From 64a11c73274c2b7167b9ea7e576608b93938583d Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Mon, 21 Jul 2025 10:43:46 +0200 Subject: [PATCH] rec: be more strict accepting delegations Signed-off-by: Otto Moerbeek --- pdns/recursordist/syncres.cc | 29 +++++++++++------------------ pdns/recursordist/syncres.hh | 2 +- 2 files changed, 12 insertions(+), 19 deletions(-) diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index f0e33ff434..ea2048219c 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -4188,8 +4188,8 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN std::unordered_set allowedAnswerNames = {qname}; bool cnameSeen = false; bool haveAnswers = false; - bool isNXDomain = false; - bool isNXQType = false; + bool acceptDelegation = false; + bool soaInAuth = false; std::vector skipvec(lwr.d_records.size(), false); unsigned int counter = 0; @@ -4306,17 +4306,10 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN ++skipCount; continue; } - - if (!haveAnswers) { - switch (lwr.d_rcode) { - case RCode::NXDomain: - isNXDomain = true; - break; - case RCode::NoError: - isNXQType = true; - break; - } - } + soaInAuth = true; + } + if (!haveAnswers && lwr.d_rcode == RCode::NoError) { + acceptDelegation = true; } } /* dealing with records in additional */ @@ -4330,10 +4323,10 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN } } // end of first loop, handled answer and most of authority section - sanitizeRecordsPass2(prefix, lwr, qname, qtype, auth, allowedAnswerNames, allowedAdditionals, cnameSeen, isNXDomain, isNXQType, skipvec, skipCount); + sanitizeRecordsPass2(prefix, lwr, qname, qtype, auth, allowedAnswerNames, allowedAdditionals, cnameSeen, acceptDelegation && !soaInAuth, skipvec, skipCount); } -void SyncRes::sanitizeRecordsPass2(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType qtype, const DNSName& auth, std::unordered_set& allowedAnswerNames, std::unordered_set& allowedAdditionals, bool cnameSeen, bool isNXDomain, bool isNXQType, std::vector& skipvec, unsigned int& skipCount) +void SyncRes::sanitizeRecordsPass2(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType qtype, const DNSName& auth, std::unordered_set& allowedAnswerNames, std::unordered_set& allowedAdditionals, bool cnameSeen, bool acceptDelegation, std::vector& skipvec, unsigned int& skipCount) { // Second loop, we know now if the answer was NxDomain or NoData unsigned int counter = 0; @@ -4362,13 +4355,13 @@ void SyncRes::sanitizeRecordsPass2(const std::string& prefix, LWResult& lwr, con } } if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS) { - if (isNXDomain || isNXQType) { + if (!acceptDelegation) { /* - * We don't want to pick up NS records in AUTHORITY and their ADDITIONAL sections of NXDomain answers + * We don't want to pick up NS records in AUTHORITY and their ADDITIONAL sections of NXDomain answers and answers with answer records * because they are somewhat easy to insert into a large, fragmented UDP response * for an off-path attacker by injecting spoofed UDP fragments. So do not add these to allowedAdditionals. */ - LOG(prefix << qname << ": Removing NS record '" << rec->toString() << "' in the AUTHORITY section of a " << (isNXDomain ? "NXD" : "NXQTYPE") << " response received from " << auth << endl); + LOG(prefix << qname << ": Removing NS record '" << rec->toString() << "' in the AUTHORITY section of a response received from " << auth << endl); skipvec[counter] = true; ++skipCount; continue; diff --git a/pdns/recursordist/syncres.hh b/pdns/recursordist/syncres.hh index bc1337d4bd..050c07c98e 100644 --- a/pdns/recursordist/syncres.hh +++ b/pdns/recursordist/syncres.hh @@ -675,7 +675,7 @@ private: vector retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector>::const_iterator& tns, unsigned int depth, set& beenthere, const vector>& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly, unsigned int& nretrieveAddressesForNS); void sanitizeRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, QType qtype, const DNSName& auth, bool wasForwarded, bool rdQuery); - void sanitizeRecordsPass2(const std::string& prefix, LWResult& lwr, const DNSName& qname, QType qtype, const DNSName& auth, std::unordered_set& allowedAnswerNames, std::unordered_set& allowedAdditionals, bool cnameSeen, bool isNXDomain, bool isNXQType, std::vector& skipvec, unsigned int& skipCount); + void sanitizeRecordsPass2(const std::string& prefix, LWResult& lwr, const DNSName& qname, QType qtype, const DNSName& auth, std::unordered_set& allowedAnswerNames, std::unordered_set& allowedAdditionals, bool cnameSeen, bool delegationAccepted, std::vector& skipvec, unsigned int& skipCount); /* This function will check whether the answer should have the AA bit set, and will set if it should be set and isn't. This is unfortunately needed to deal with very crappy so-called DNS servers */ void fixupAnswer(const std::string& prefix, LWResult& lwr, const DNSName& qname, QType qtype, const DNSName& auth, bool wasForwarded, bool rdQuery); -- 2.47.3