Fixed rebinding protection bug when using forwarder setups

BIND wasn't honoring option "deny-answer-aliases" when configured to
forward queries.

Before the fix it was possible for nameservers listed in "forwarders"
option to return CNAME answers pointing to unrelated domains of the
original query, which could be used as a vector for rebinding attacks.

The fix ensures that BIND apply filters even if configured as a forwarder
instance.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index bc9cc36079b7a7e4811399a198ce301b47eb4e04..7c44478a26fc8d3840bb5e515a99d67c6798fb8d 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6447,9 +6447,16 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 
        /*
         * If the target name is a subdomain of the search domain, allow it.
+        *
+        * Note that if BIND is configured as a forwarding DNS server, the
+        * search domain will always match the root domain ("."), so we
+        * must also check whether forwarding is enabled so that filters
+        * can be applied; see GL #1574.
         */
-       if (dns_name_issubdomain(tname, &fctx->domain))
+       if ((fctx->fwdpolicy == dns_fwdpolicy_none) &&
+               dns_name_issubdomain(tname, &fctx->domain)) {
                return (true);
+       }
 
        /*
         * Otherwise, apply filters.