diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:26:00 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 15:26:00 +0000 |
commit | 830407e88f9d40d954356c3754f2647f91d5c06a (patch) | |
tree | d6a0ece6feea91f3c656166dbaa884ef8a29740e /modules/rebinding/test.integr | |
parent | Initial commit. (diff) | |
download | knot-resolver-upstream/5.6.0.tar.xz knot-resolver-upstream/5.6.0.zip |
Adding upstream version 5.6.0.upstream/5.6.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/rebinding/test.integr')
-rw-r--r-- | modules/rebinding/test.integr/deckard.yaml | 12 | ||||
-rw-r--r-- | modules/rebinding/test.integr/kresd_config.j2 | 59 | ||||
-rw-r--r-- | modules/rebinding/test.integr/module_rebinding.rpl | 834 |
3 files changed, 905 insertions, 0 deletions
diff --git a/modules/rebinding/test.integr/deckard.yaml b/modules/rebinding/test.integr/deckard.yaml new file mode 100644 index 0000000..9b1793b --- /dev/null +++ b/modules/rebinding/test.integr/deckard.yaml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: GPL-3.0-or-later +programs: +- name: kresd + binary: kresd + additional: + - --noninteractive + templates: + - modules/rebinding/test.integr/kresd_config.j2 + - tests/integration/hints_zone.j2 + configs: + - config + - hints diff --git a/modules/rebinding/test.integr/kresd_config.j2 b/modules/rebinding/test.integr/kresd_config.j2 new file mode 100644 index 0000000..aed3551 --- /dev/null +++ b/modules/rebinding/test.integr/kresd_config.j2 @@ -0,0 +1,59 @@ +-- SPDX-License-Identifier: GPL-3.0-or-later +{% raw %} +-- make sure DNSSEC is turned off for tests +trust_anchors.remove('.') + +-- Disable RFC5011 TA update +if ta_update then + modules.unload('ta_update') +end + +-- Disable RFC8145 signaling, scenario doesn't provide expected answers +if ta_signal_query then + modules.unload('ta_signal_query') +end + +-- Disable RFC8109 priming, scenario doesn't provide expected answers +if priming then + modules.unload('priming') +end + +-- Disable this module because it make one priming query +if detect_time_skew then + modules.unload('detect_time_skew') +end + +modules.load('rebinding < iterate') + +_hint_root_file('hints') +cache.size = 2*MB +log_level('debug') +net.ipv6 = false +{% endraw %} + +net = { '{{SELF_ADDR}}' } + + +{% if QMIN == "false" %} +option('NO_MINIMIZE', true) +{% else %} +option('NO_MINIMIZE', false) +{% endif %} + + +-- Self-checks on globals +assert(help() ~= nil) +assert(worker.id ~= nil) +-- Self-checks on facilities +assert(cache.count() == 0) +assert(cache.stats() ~= nil) +assert(cache.backends() ~= nil) +assert(worker.stats() ~= nil) +assert(net.interfaces() ~= nil) +-- Self-checks on loaded stuff +assert(net.list()[1].transport.ip == '{{SELF_ADDR}}') +assert(#modules.list() > 0) +-- Self-check timers +ev = event.recurrent(1 * sec, function (ev) return 1 end) +event.cancel(ev) +ev = event.after(0, function (ev) return 1 end) diff --git a/modules/rebinding/test.integr/module_rebinding.rpl b/modules/rebinding/test.integr/module_rebinding.rpl new file mode 100644 index 0000000..1e344c5 --- /dev/null +++ b/modules/rebinding/test.integr/module_rebinding.rpl @@ -0,0 +1,834 @@ +; SPDX-License-Identifier: GPL-3.0-or-later +; config options +; target-fetch-policy: "0 0 0 0 0" +; module-config: "iterator" +; name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test protection from DNS rebinding + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 1000 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +; net. +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +net. IN NS +SECTION AUTHORITY +. IN SOA . . 0 0 0 0 0 +ENTRY_END + +; root-servers.net. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +root-servers.net. IN NS +SECTION ANSWER +root-servers.net. IN NS k.root-servers.net. +SECTION ADDITIONAL +k.root-servers.net. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +root-servers.net. IN A +SECTION AUTHORITY +root-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +k.root-servers.net. IN A +SECTION ANSWER +k.root-servers.net. IN A 193.0.14.129 +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +k.root-servers.net. IN AAAA +SECTION AUTHORITY +root-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +; gtld-servers.net. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gtld-servers.net. IN NS +SECTION ANSWER +gtld-servers.net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gtld-servers.net. IN A +SECTION AUTHORITY +gtld-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION ANSWER +a.gtld-servers.net. IN A 192.5.6.30 +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.gtld-servers.net. IN AAAA +SECTION AUTHORITY +gtld-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 1000 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; NS with address pointing into a private range must not be followed +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +attacker.com. IN A +SECTION AUTHORITY +attacker.com. IN NS ns.attacker.com. +SECTION ADDITIONAL +ns.attacker.com. IN A 192.168.3.5 +ENTRY_END +RANGE_END + +; ns.attacker.com. +RANGE_BEGIN 0 1000 + ADDRESS 19.168.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attacker.com. IN NS +SECTION ANSWER +attacker.com. IN NS ns.attacker.com. +SECTION ADDITIONAL +ns.attacker.com. IN A 192.168.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.attacker.com. IN A +SECTION ANSWER +www.attacker.com. IN A 192.0.2.55 +ENTRY_END +RANGE_END + + +; ns.example.com. +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 192.0.2.40 +ENTRY_END + +; blacklisted IP addresses +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-0-0-0-0.example.com. IN A +SECTION ANSWER +attack-ipv4-0-0-0-0.example.com. IN A 0.0.0.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-0-0-0-0.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-0-0-0-0.example.com. IN AAAA ::ffff:0.0.0.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-10-1-2-3.example.com. IN A +SECTION ANSWER +attack-ipv4-10-1-2-3.example.com. IN A 10.1.2.3 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-10-2-3-4.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-10-2-3-4.example.com. IN AAAA ::ffff:10.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-100-127-255-254.example.com. IN A +SECTION ANSWER +attack-ipv4-100-127-255-254.example.com. IN A 100.127.255.254 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-100-127-255-255.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-100-127-255-255.example.com. IN AAAA ::ffff:100.127.255.255 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-127-0-0-1.example.com. IN A +SECTION ANSWER +attack-ipv4-127-0-0-1.example.com. IN A 127.0.0.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-127-0-0-1.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-127-0-0-1.example.com. IN AAAA ::ffff:127.0.0.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-169-254-255-255.example.com. IN A +SECTION ANSWER +attack-ipv4-169-254-255-255.example.com. IN A 169.254.255.255 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-169-254-0-0.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-169-254-0-0.example.com. IN AAAA ::ffff:169.254.0.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-172-16-0-0.example.com. IN A +SECTION ANSWER +attack-ipv4-172-16-0-0.example.com. IN A 172.16.0.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-172-31-255-255.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-172-31-255-255.example.com. IN AAAA ::ffff:172.31.255.255 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-192-168-3-8.example.com. IN A +SECTION ANSWER +attack-ipv4-192-168-3-8.example.com. IN A 192.168.3.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-192-168-254-210.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-192-168-254-210.example.com. IN AAAA ::ffff:192.168.254.210 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv6-.example.com. IN AAAA +SECTION ANSWER +attack-ipv6-.example.com. IN AAAA :: +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv6-1.example.com. IN AAAA +SECTION ANSWER +attack-ipv6-1.example.com. IN AAAA ::1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv6-fc00.example.com. IN AAAA +SECTION ANSWER +attack-ipv6-fc00.example.com. IN AAAA fc00:: +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv6-fe80.example.com. IN AAAA +SECTION ANSWER +attack-ipv6-fe80.example.com. IN AAAA fe80:: +ENTRY_END + +RANGE_END + +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here, no blacklisted IP address is present +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 192.0.2.40 +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; test that 0.0.0.0 is blacklisted +STEP 201 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-0-0-0-0.example.com. IN A +ENTRY_END + +STEP 202 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-0-0-0-0.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:0.0.0.0 is blacklisted +STEP 211 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-0-0-0-0.example.com. IN AAAA +ENTRY_END + +STEP 212 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-0-0-0-0.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 10.1.2.3 is blacklisted +STEP 221 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-10-1-2-3.example.com. IN A +ENTRY_END + +STEP 222 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-10-1-2-3.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:10.2.3.4 is blacklisted +STEP 231 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-10-2-3-4.example.com. IN AAAA +ENTRY_END + +STEP 232 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-10-2-3-4.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 100.127.255.254 is blacklisted +STEP 241 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-100-127-255-254.example.com. IN A +ENTRY_END + +STEP 242 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-100-127-255-254.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:100.127.255.255 is blacklisted +STEP 251 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-100-127-255-255.example.com. IN AAAA +ENTRY_END + +STEP 252 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-100-127-255-255.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 127.0.0.1 is blacklisted +STEP 261 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-127-0-0-1.example.com. IN A +ENTRY_END + +STEP 262 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-127-0-0-1.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:127.0.0.1 is blacklisted +STEP 271 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-127-0-0-1.example.com. IN AAAA +ENTRY_END + +STEP 272 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-127-0-0-1.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 169.254.255.255 is blacklisted +STEP 281 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-169-254-255-255.example.com. IN A +ENTRY_END + +STEP 282 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-169-254-255-255.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:169.254.0.0 is blacklisted +STEP 291 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-169-254-0-0.example.com. IN AAAA +ENTRY_END + +STEP 292 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-169-254-0-0.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 172.16.0.0 is blacklisted +STEP 301 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-172-16-0-0.example.com. IN A +ENTRY_END + +STEP 302 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-172-16-0-0.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:172.31.255.255 is blacklisted +STEP 311 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-172-31-255-255.example.com. IN AAAA +ENTRY_END + +STEP 312 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-172-31-255-255.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 192.168.3.8 is blacklisted +STEP 321 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-192-168-3-8.example.com. IN A +ENTRY_END + +STEP 322 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-192-168-3-8.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:192.168.254.210 is blacklisted +STEP 331 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-192-168-254-210.example.com. IN AAAA +ENTRY_END + +STEP 332 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-192-168-254-210.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that :: is blacklisted +STEP 341 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv6-.example.com. IN AAAA +ENTRY_END + +STEP 342 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv6-.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::1 is blacklisted +STEP 351 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv6-1.example.com. IN AAAA +ENTRY_END + +STEP 352 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv6-1.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that fc00:: is blacklisted +STEP 361 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv6-fc00.example.com. IN AAAA +ENTRY_END + +STEP 362 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv6-fc00.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that fe80:: is blacklisted +STEP 371 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv6-fe80.example.com. IN AAAA +ENTRY_END + +STEP 372 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv6-fe80.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +STEP 401 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; it still works if no blacklisted IP address is present +STEP 402 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 192.0.2.40 +ENTRY_END + +STEP 501 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.attacker.com. IN A +ENTRY_END + +; NS for attacker.com. has IP address from private range, it must fail +STEP 502 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +www.attacker.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +SCENARIO_END |