diff options
Diffstat (limited to 'tests/deckard/sets/resolver/iter_ns_spoof.rpl')
-rw-r--r-- | tests/deckard/sets/resolver/iter_ns_spoof.rpl | 274 |
1 files changed, 274 insertions, 0 deletions
diff --git a/tests/deckard/sets/resolver/iter_ns_spoof.rpl b/tests/deckard/sets/resolver/iter_ns_spoof.rpl new file mode 100644 index 0000000..1b81ed2 --- /dev/null +++ b/tests/deckard/sets/resolver/iter_ns_spoof.rpl @@ -0,0 +1,274 @@ +; config options +; harden-referral-path: yes +; target-fetch-policy: "0 0 0 0 0" +; name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test NS record spoof protection. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +; for simplicity the root server is authoritative for root-servers.net +; and also for gtld-servers.net +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +K.ROOT-SERVERS.NET. IN A +SECTION ANSWER +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION ANSWER +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +mail.example.com. IN A 10.20.30.50 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +;; answer to the spoofed query ; spoofed reply answer. +; here we put it in the nameserver for ease. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +bad123.example.com. IN A +SECTION ANSWER +bad123.example.com. IN A 6.6.6.6 +SECTION AUTHORITY +; evil NS set. +example.com. IN NS bad123.example.com. +ENTRY_END + +RANGE_END + +; evil server +RANGE_BEGIN 0 100 + ADDRESS 6.6.6.6 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 6.6.6.6 +SECTION AUTHORITY +example.com. IN NS bad123.example.com. +SECTION ADDITIONAL +bad123.example.com. IN A 6.6.6.6 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +mail.example.com. IN A 6.6.6.6 +SECTION AUTHORITY +example.com. IN NS bad123.example.com. +SECTION ADDITIONAL +bad123.example.com. IN A 6.6.6.6 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +bad123.example.com. IN A +SECTION ANSWER +bad123.example.com. IN A 6.6.6.6 +SECTION AUTHORITY +; evil NS set. +example.com. IN NS bad123.example.com. +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; spoofed query +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +bad123.example.com. IN A +ENTRY_END + +; recursion happens here. +; resolver gets address to spoofed server here +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +bad123.example.com. IN A +SECTION ANSWER +bad123.example.com. IN A 6.6.6.6 +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; a new query +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +mail.example.com. IN A +ENTRY_END + +STEP 50 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +mail.example.com. IN A 10.20.30.50 +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END |