horok/knot-resolver
1
0
Fork 0
Code Activity
knot-resolver/modules/rebinding/test.integr/module_rebinding.rpl
Daniel Baumann fbc604e215
Adding upstream version 5.7.5. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-21 13:56:17 +02:00

834 lines
16 KiB
Text
Raw Permalink Blame History

; SPDX-License-Identifier: GPL-3.0-or-later
; config options
; target-fetch-policy: "0 0 0 0 0"
; module-config: "iterator"
; name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test protection from DNS rebinding
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 1000
ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
; net.
ENTRY_BEGIN
MATCH opcode qname
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
net. IN NS
SECTION AUTHORITY
. IN SOA . . 0 0 0 0 0
ENTRY_END
; root-servers.net.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
root-servers.net. IN NS
SECTION ANSWER
root-servers.net. IN NS k.root-servers.net.
SECTION ADDITIONAL
k.root-servers.net. IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
root-servers.net. IN A
SECTION AUTHORITY
root-servers.net. IN SOA . . 0 0 0 0 0
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
k.root-servers.net. IN A
SECTION ANSWER
k.root-servers.net. IN A 193.0.14.129
SECTION ADDITIONAL
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
k.root-servers.net. IN AAAA
SECTION AUTHORITY
root-servers.net. IN SOA . . 0 0 0 0 0
ENTRY_END
; gtld-servers.net.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
gtld-servers.net. IN NS
SECTION ANSWER
gtld-servers.net. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
gtld-servers.net. IN A
SECTION AUTHORITY
gtld-servers.net. IN SOA . . 0 0 0 0 0
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN A
SECTION ANSWER
a.gtld-servers.net. IN A 192.5.6.30
SECTION ADDITIONAL
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION AUTHORITY
gtld-servers.net. IN SOA . . 0 0 0 0 0
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN A
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 1000
ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
com. IN NS
SECTION ANSWER
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
example.com. IN A
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
; NS with address pointing into a private range must not be followed
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
attacker.com. IN A
SECTION AUTHORITY
attacker.com. IN NS ns.attacker.com.
SECTION ADDITIONAL
ns.attacker.com. IN A 192.168.3.5
ENTRY_END
RANGE_END
; ns.attacker.com.
RANGE_BEGIN 0 1000
ADDRESS 19.168.3.5
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attacker.com. IN NS
SECTION ANSWER
attacker.com. IN NS ns.attacker.com.
SECTION ADDITIONAL
ns.attacker.com. IN A 192.168.3.5
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.attacker.com. IN A
SECTION ANSWER
www.attacker.com. IN A 192.0.2.55
ENTRY_END
RANGE_END
; ns.example.com.
RANGE_BEGIN 0 1000
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
example.com. IN NS
SECTION ANSWER
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 192.0.2.40
ENTRY_END
; blacklisted IP addresses
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4-0-0-0-0.example.com. IN A
SECTION ANSWER
attack-ipv4-0-0-0-0.example.com. IN A 0.0.0.0
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4over6-0-0-0-0.example.com. IN AAAA
SECTION ANSWER
attack-ipv4over6-0-0-0-0.example.com. IN AAAA ::ffff:0.0.0.0
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4-10-1-2-3.example.com. IN A
SECTION ANSWER
attack-ipv4-10-1-2-3.example.com. IN A 10.1.2.3
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4over6-10-2-3-4.example.com. IN AAAA
SECTION ANSWER
attack-ipv4over6-10-2-3-4.example.com. IN AAAA ::ffff:10.2.3.4
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4-100-127-255-254.example.com. IN A
SECTION ANSWER
attack-ipv4-100-127-255-254.example.com. IN A 100.127.255.254
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4over6-100-127-255-255.example.com. IN AAAA
SECTION ANSWER
attack-ipv4over6-100-127-255-255.example.com. IN AAAA ::ffff:100.127.255.255
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4-127-0-0-1.example.com. IN A
SECTION ANSWER
attack-ipv4-127-0-0-1.example.com. IN A 127.0.0.1
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4over6-127-0-0-1.example.com. IN AAAA
SECTION ANSWER
attack-ipv4over6-127-0-0-1.example.com. IN AAAA ::ffff:127.0.0.1
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4-169-254-255-255.example.com. IN A
SECTION ANSWER
attack-ipv4-169-254-255-255.example.com. IN A 169.254.255.255
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4over6-169-254-0-0.example.com. IN AAAA
SECTION ANSWER
attack-ipv4over6-169-254-0-0.example.com. IN AAAA ::ffff:169.254.0.0
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4-172-16-0-0.example.com. IN A
SECTION ANSWER
attack-ipv4-172-16-0-0.example.com. IN A 172.16.0.0
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4over6-172-31-255-255.example.com. IN AAAA
SECTION ANSWER
attack-ipv4over6-172-31-255-255.example.com. IN AAAA ::ffff:172.31.255.255
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4-192-168-3-8.example.com. IN A
SECTION ANSWER
attack-ipv4-192-168-3-8.example.com. IN A 192.168.3.8
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv4over6-192-168-254-210.example.com. IN AAAA
SECTION ANSWER
attack-ipv4over6-192-168-254-210.example.com. IN AAAA ::ffff:192.168.254.210
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv6-.example.com. IN AAAA
SECTION ANSWER
attack-ipv6-.example.com. IN AAAA ::
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv6-1.example.com. IN AAAA
SECTION ANSWER
attack-ipv6-1.example.com. IN AAAA ::1
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv6-fc00.example.com. IN AAAA
SECTION ANSWER
attack-ipv6-fc00.example.com. IN AAAA fc00::
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
attack-ipv6-fe80.example.com. IN AAAA
SECTION ANSWER
attack-ipv6-fe80.example.com. IN AAAA fe80::
ENTRY_END
RANGE_END
STEP 11 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; recursion happens here, no blacklisted IP address is present
STEP 12 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 192.0.2.40
;SECTION AUTHORITY
;example.com. IN NS ns.example.com.
;SECTION ADDITIONAL
;ns.example.com. IN A 1.2.3.4
ENTRY_END
; test that 0.0.0.0 is blacklisted
STEP 201 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4-0-0-0-0.example.com. IN A
ENTRY_END
STEP 202 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4-0-0-0-0.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that ::ffff:0.0.0.0 is blacklisted
STEP 211 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4over6-0-0-0-0.example.com. IN AAAA
ENTRY_END
STEP 212 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4over6-0-0-0-0.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that 10.1.2.3 is blacklisted
STEP 221 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4-10-1-2-3.example.com. IN A
ENTRY_END
STEP 222 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4-10-1-2-3.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that ::ffff:10.2.3.4 is blacklisted
STEP 231 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4over6-10-2-3-4.example.com. IN AAAA
ENTRY_END
STEP 232 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4over6-10-2-3-4.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that 100.127.255.254 is blacklisted
STEP 241 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4-100-127-255-254.example.com. IN A
ENTRY_END
STEP 242 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4-100-127-255-254.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that ::ffff:100.127.255.255 is blacklisted
STEP 251 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4over6-100-127-255-255.example.com. IN AAAA
ENTRY_END
STEP 252 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4over6-100-127-255-255.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that 127.0.0.1 is blacklisted
STEP 261 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4-127-0-0-1.example.com. IN A
ENTRY_END
STEP 262 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4-127-0-0-1.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that ::ffff:127.0.0.1 is blacklisted
STEP 271 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4over6-127-0-0-1.example.com. IN AAAA
ENTRY_END
STEP 272 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4over6-127-0-0-1.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that 169.254.255.255 is blacklisted
STEP 281 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4-169-254-255-255.example.com. IN A
ENTRY_END
STEP 282 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4-169-254-255-255.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that ::ffff:169.254.0.0 is blacklisted
STEP 291 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4over6-169-254-0-0.example.com. IN AAAA
ENTRY_END
STEP 292 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4over6-169-254-0-0.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that 172.16.0.0 is blacklisted
STEP 301 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4-172-16-0-0.example.com. IN A
ENTRY_END
STEP 302 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4-172-16-0-0.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that ::ffff:172.31.255.255 is blacklisted
STEP 311 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4over6-172-31-255-255.example.com. IN AAAA
ENTRY_END
STEP 312 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4over6-172-31-255-255.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that 192.168.3.8 is blacklisted
STEP 321 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4-192-168-3-8.example.com. IN A
ENTRY_END
STEP 322 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4-192-168-3-8.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that ::ffff:192.168.254.210 is blacklisted
STEP 331 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv4over6-192-168-254-210.example.com. IN AAAA
ENTRY_END
STEP 332 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv4over6-192-168-254-210.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that :: is blacklisted
STEP 341 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv6-.example.com. IN AAAA
ENTRY_END
STEP 342 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv6-.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that ::1 is blacklisted
STEP 351 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv6-1.example.com. IN AAAA
ENTRY_END
STEP 352 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv6-1.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that fc00:: is blacklisted
STEP 361 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv6-fc00.example.com. IN AAAA
ENTRY_END
STEP 362 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv6-fc00.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
; test that fe80:: is blacklisted
STEP 371 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
attack-ipv6-fe80.example.com. IN AAAA
ENTRY_END
STEP 372 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
attack-ipv6-fe80.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
STEP 401 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; it still works if no blacklisted IP address is present
STEP 402 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 192.0.2.40
ENTRY_END
STEP 501 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.attacker.com. IN A
ENTRY_END
; NS for attacker.com. has IP address from private range, it must fail
STEP 502 CHECK_ANSWER
ENTRY_BEGIN
MATCH all answer authority
REPLY QR RD RA REFUSED
SECTION QUESTION
www.attacker.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
explanation.invalid. TXT "blocked by DNS rebinding protection"
ENTRY_END
SCENARIO_END
View git blame Copy permalink