--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "../../_common/rndc.key";
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+tls self-signed {
+ cert-file "../self-signed-cert.pem";
+ key-file "../self-signed-key.pem";
+};
+
+options {
+ pid-file "named.pid";
+ ##
+ # generic test
+ listen-on port @PORT@ { 10.53.0.1; };
+
+ listen-on port @EXTRAPORT1@ proxy plain { 10.53.0.1; };
+ listen-on port @EXTRAPORT1@ proxy plain { 10.53.0.2; };
+ listen-on port @TLSPORT@ proxy encrypted tls self-signed { 10.53.0.1; };
+ listen-on port @EXTRAPORT2@ proxy plain tls self-signed { 10.53.0.1; };
+ listen-on port @HTTPSPORT@ proxy encrypted tls self-signed http default { 10.53.0.1; };
+ listen-on port @EXTRAPORT3@ proxy plain tls self-signed http default { 10.53.0.1; };
+ listen-on port @HTTPPORT@ proxy plain tls none http default { 10.53.0.1; };
+
+ listen-on-v6 port @EXTRAPORT1@ proxy plain { fd92:7065:b8e:ffff::1; };
+ listen-on-v6 port @EXTRAPORT1@ proxy plain { fd92:7065:b8e:ffff::2; };
+ listen-on-v6 port @TLSPORT@ proxy encrypted tls self-signed { fd92:7065:b8e:ffff::1; };
+ listen-on-v6 port @EXTRAPORT2@ proxy plain tls self-signed { fd92:7065:b8e:ffff::1; };
+ listen-on-v6 port @HTTPSPORT@ proxy encrypted tls self-signed http default { fd92:7065:b8e:ffff::1; };
+ listen-on-v6 port @EXTRAPORT3@ proxy plain tls self-signed http default { fd92:7065:b8e:ffff::1; };
+ listen-on-v6 port @HTTPPORT@ proxy plain tls none http default { fd92:7065:b8e:ffff::1; };
+
+ allow-proxy { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+ allow-proxy-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+
+ recursion no;
+ notify explicit;
+ statistics-file "named.stats";
+ dnssec-validation yes;
+ tcp-initial-timeout 1200;
+};
+
+zone "example0" {
+ type primary;
+ file "example.db";
+ allow-query { any; };
+};
+
+zone "example1" {
+ type primary;
+ file "example.db";
+ allow-query { 1.2.3.4; fd0f:99d3:98a7::1234; };
+ allow-query-on { 4.3.2.1; fd0f:99d3:98a7::4321; }; # note, we are *not* listening on the interface
+};
+
+zone "example2" {
+ type primary;
+ file "example.db";
+ # allow the real addresses only so that we can test LOCAL requests
+ allow-query { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+ allow-query-on { 10.53.0.1; fd92:7065:b8e:ffff::1; };
+};
+
+# Let's define some zones that will help us verify that ports
+# information from PROXY headers is used. Please note that we are NOT
+# listening on the ports used.
+zone "example-proxy-do53" {
+ type primary;
+ file "example.db";
+ allow-transfer port 53 transport tcp { 1.2.3.4; fd0f:99d3:98a7::1234; };
+};
+
+zone "example-proxy-encrypted-dot" {
+ type primary;
+ file "example.db";
+ allow-transfer port 853 transport tls { 1.2.3.4; fd0f:99d3:98a7::1234; };
+};
+
+zone "example-proxy-plain-dot" {
+ type primary;
+ file "example.db";
+ allow-transfer port 853 transport tls { 1.2.3.4; fd0f:99d3:98a7::1234; };
+};
+
+# Now let's make something similar, but for LOCAL PROXY requests (when
+# real ports and addresses are used)
+zone "example-proxy-local-do53" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT1@ transport tcp { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+};
+
+zone "example-proxy-local-encrypted-dot" {
+ type primary;
+ file "example.db";
+ allow-transfer port @TLSPORT@ transport tls { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+};
+
+zone "example-proxy-local-plain-dot" {
+ type primary;
+ file "example.db";
+ allow-transfer port @EXTRAPORT2@ transport tls { 10.53.0.10; fd92:7065:b8e:ffff::10; };
+};
--- /dev/null
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck disable=SC1091
+. ../conf.sh
+
+dig_out_basename="dig.out.test"
+testing="PROXY test"
+fail_regex='(^(; EDE: 18 \(Prohibited\))|(; Transfer failed\.$))'
+
+dig_with_opts() {
+ # shellcheck disable=SC2086
+ "$DIG" +noadd +nosea +nostat +noquest +nocmd +tries=1 "$@"
+}
+
+status=0
+n=0
+
+run_dig_test() {
+ test_message="$1"
+ shift
+ n=$((n + 1))
+ echo_i "$test_message ($n)"
+ ret=0
+ dig_failed=0
+ dig_with_opts "$@" >"$dig_out_basename$n" || dig_failed=1
+}
+
+run_dig_test_expect_success() {
+ run_dig_test "$@"
+ if [ $dig_failed != 0 ]; then
+ ret=1
+ elif ! [ -s "$dig_out_basename$n" ]; then
+ ret=1
+ else
+ grep -E "$fail_regex" "$dig_out_basename$n" >/dev/null && ret=1
+ fi
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+}
+
+run_dig_test_expect_failure() {
+ run_dig_test "$@"
+ if [ $dig_failed -eq 0 ] && [ -s "$dig_out_basename$n" ]; then
+ grep -E "$fail_regex" "$dig_out_basename$n" >/dev/null || ret=1
+ fi
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=$((status + ret))
+}
+
+run_dig_multitest_expect_success() {
+ message="$1"
+ shift
+ proxy_addrs="$1"
+ shift
+ run_dig_test_expect_success "$message (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +notcp "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls "+proxy-plain=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.1 +https "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.1 +https "+proxy-plain=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.1 +http-plain "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +notcp "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls "+proxy-plain=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https "+proxy-plain=$proxy_addrs" "$@"
+ run_dig_test_expect_success "$message (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +http-plain "+proxy=$proxy_addrs" "$@"
+}
+
+run_dig_multitest_expect_failure() {
+ message="$1"
+ shift
+ proxy_addrs="$1"
+ shift
+ run_dig_test_expect_failure "$message (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +notcp "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls "+proxy-plain=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.1 +https "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.1 +https "+proxy-plain=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.1 +http-plain "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +notcp "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls "+proxy-plain=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https "+proxy=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https "+proxy-plain=$proxy_addrs" "$@"
+ run_dig_test_expect_failure "$message (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +http-plain "+proxy=$proxy_addrs" "$@"
+}
+
+# generic tests
+
+# Bind to the IP address that is allowed to send PROXYv2
+run_dig_test_expect_success "$testing: allow-proxy expect success (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +notcp +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.1 +https +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.1 +https +proxy-plain NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.1 +http-plain +proxy NS example0
+
+run_dig_test_expect_success "$testing: allow-proxy expect success (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +notcp +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https +proxy NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +https +proxy-plain NS example0
+run_dig_test_expect_success "$testing: allow-proxy expect success (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +http-plain +proxy NS example0
+
+# Bind to the IP address that is not allowed to send PROXYv2
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.11 @10.53.0.1 +notcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.11 @10.53.0.1 +tcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.11 @10.53.0.1 +tls +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.11 @10.53.0.1 +tls +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.11 @10.53.0.1 +https +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.11 @10.53.0.1 +https +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTP)" -p "${HTTPPORT}" -b 10.53.0.11 @10.53.0.1 +http-plain +proxy NS example0
+
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +notcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +tcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +tls +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +tls +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +https +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +https +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy expect failure (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::11 @fd92:7065:b8e:ffff::1 +http-plain +proxy NS example0
+
+# Send a query to the interface that is not allowed to accept PROXYv2
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.2 +notcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.2 +tcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.2 +tls +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.2 +tls +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.2 +https +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.2 +https +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.2 +http-plain +proxy NS example0
+
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +notcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +tcp +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +tls +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +tls +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +https +proxy NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +https +proxy-plain NS example0
+run_dig_test_expect_failure "$testing: allow-proxy-on expect failure (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::2 +http-plain +proxy NS example0
+
+## Now let's check if the addresses passed via PROXYv2 are getting used by BIND9.
+run_dig_multitest_expect_success "check if IPv4 addresses are getting passed and accepted" "1.2.3.4-4.3.2.1" NS example1
+run_dig_multitest_expect_success "check if IPv6 addresses are getting passed and accepted" "fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321" NS example1
+
+run_dig_multitest_expect_failure "check if IPv4 addresses are getting passed and rejected" "4.4.4.4-5.5.5.5" NS example1
+run_dig_multitest_expect_failure "check if IPv6 addresses are getting passed and rejected" "fd0f:99d3:98a7::4444-fd0f:99d3:98a7::5555" NS example1
+
+run_dig_multitest_expect_failure "check if IPv4 addresses are getting passed and an unexpected source address is getting rejected" "4.4.4.4-4.3.2.1" NS example1
+run_dig_multitest_expect_failure "check if IPv6 addresses are getting passed and an unexpected source address is getting rejected" "fd0f:99d3:98a7::4444-fd0f:99d3:98a7::4321" NS example1
+
+run_dig_multitest_expect_failure "check if IPv4 addresses are getting passed and an unexpected destination address is getting rejected" "1.2.3.4-5.5.5.5" NS example1
+run_dig_multitest_expect_failure "check if IPv6 addresses are getting passed and an unexpected destination address is getting rejected" "fd0f:99d3:98a7::1234-fd0f:99d3:98a7::5.5.5.5" NS example1
+
+## Let's check if the real addresses are used by BIND9 for LOCAL requests
+run_dig_multitest_expect_success "check if LOCAL PROXYv2 headers are accepted and real connection addresses are used" "" NS example2
+
+## Let's check if BIND9 does not like suspicious PROXY headers with zeroed addresses or destination ports
+run_dig_multitest_expect_failure "check if port 0 is not accepted when used in the destination IPv4 address" "1.2.3.4-4.3.2.1#0" NS example1
+run_dig_multitest_expect_failure "check if port 0 is not accepted when used in the destination IPv6 address" "fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#0" NS example1
+
+run_dig_multitest_expect_failure "check if \"0.0.0.0\" is not accepted as a source address" "0.0.0.0-4.3.2.1" NS example1
+run_dig_multitest_expect_failure "check if \"::\" is not accepted as a source address" "::-fd0f:99d3:98a7::4321" NS example1
+
+run_dig_multitest_expect_failure "check if \"0.0.0.0\" is not accepted as a destination address" "1.2.3.4-0.0.0.0" NS example1
+run_dig_multitest_expect_failure "check if \"::\" is not accepted as a destination address" "fd0f:99d3:98a7::1234-::" NS example1
+
+# Let's verify that ports information from PROXY headers is being used by BIND
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy="1.2.3.4-4.3.2.1#53" AXFR example-proxy-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy="1.2.3.4-4.3.2.1#853" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain="1.2.3.4-4.3.2.1#853" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy="1.2.3.4-4.3.2.1#53" AXFR example-proxy-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy="1.2.3.4-4.3.2.1#853" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain="1.2.3.4-4.3.2.1#853" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#53" AXFR example-proxy-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#853" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#853" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#53" AXFR example-proxy-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#853" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#853" AXFR example-proxy-plain-dot
+
+# Let's use a wrong ports to see if BIND will reject the queries (as it should)
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-do53
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-do53
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND for rejection (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain="1.2.3.4-4.3.2.1#1234" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-do53
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-plain-dot
+
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-do53
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-encrypted-dot
+run_dig_test_expect_failure "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND for rejection (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain="fd0f:99d3:98a7::1234-fd0f:99d3:98a7::4321#1234" AXFR example-proxy-plain-dot
+
+# Now let's make something similar, but for LOCAL PROXY requests
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy AXFR example-proxy-local-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy AXFR example-proxy-local-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain AXFR example-proxy-local-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy AXFR example-proxy-local-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy AXFR example-proxy-local-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv4 addresses is being used by BIND (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain AXFR example-proxy-local-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.1 +tcp +proxy AXFR example-proxy-local-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.1 +tls +proxy AXFR example-proxy-local-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.1 +tls +proxy-plain AXFR example-proxy-local-plain-dot
+
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tcp +proxy AXFR example-proxy-local-do53
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy AXFR example-proxy-local-encrypted-dot
+run_dig_test_expect_success "$testing: check if ports information from a PROXYv2 header with IPv6 addresses is being used by BIND (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::1 +tls +proxy-plain AXFR example-proxy-local-plain-dot
+
+# verify that by default PROXYv2 is not accepted
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (UDP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.3 +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TCP)" -p "${EXTRAPORT1}" -b 10.53.0.10 @10.53.0.3 +tcp +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TLS/PROXY encrypted)" -p "${TLSPORT}" -b 10.53.0.10 @10.53.0.3 +tls +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TLS/PROXY plain)" -p "${EXTRAPORT2}" -b 10.53.0.10 @10.53.0.3 +tls +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTPS/PROXY encrypted)" -p "${HTTPSPORT}" -b 10.53.0.10 @10.53.0.3 +https +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTPS/PROXY plain)" -p "${EXTRAPORT3}" -b 10.53.0.10 @10.53.0.3 +https +proxy-plain NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTP)" -p "${HTTPPORT}" -b 10.53.0.10 @10.53.0.3 +https +proxy NS example
+
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (UDP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TCP, IPv6)" -p "${EXTRAPORT1}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +tcp +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TLS/PROXY encrypted, IPv6)" -p "${TLSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +tls +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (TLS/PROXY plain, IPv6)" -p "${EXTRAPORT2}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +tls +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTPS/PROXY encrypted, IPv6)" -p "${HTTPSPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +https +proxy NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTPS/PROXY plain, IPv6)" -p "${EXTRAPORT3}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +https +proxy-plain NS example
+run_dig_test_expect_failure "$testing: check if BIND does not accept PROXYv2 by default (HTTP, IPv6)" -p "${HTTPPORT}" -b fd92:7065:b8e:ffff::10 @fd92:7065:b8e:ffff::3 +https +proxy NS example
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
