diff options
Diffstat (limited to 'modules/rebinding/test.integr/module_rebinding.rpl')
-rw-r--r-- | modules/rebinding/test.integr/module_rebinding.rpl | 834 |
1 files changed, 834 insertions, 0 deletions
diff --git a/modules/rebinding/test.integr/module_rebinding.rpl b/modules/rebinding/test.integr/module_rebinding.rpl new file mode 100644 index 0000000..1e344c5 --- /dev/null +++ b/modules/rebinding/test.integr/module_rebinding.rpl @@ -0,0 +1,834 @@ +; SPDX-License-Identifier: GPL-3.0-or-later +; config options +; target-fetch-policy: "0 0 0 0 0" +; module-config: "iterator" +; name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test protection from DNS rebinding + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 1000 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +; net. +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +net. IN NS +SECTION AUTHORITY +. IN SOA . . 0 0 0 0 0 +ENTRY_END + +; root-servers.net. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +root-servers.net. IN NS +SECTION ANSWER +root-servers.net. IN NS k.root-servers.net. +SECTION ADDITIONAL +k.root-servers.net. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +root-servers.net. IN A +SECTION AUTHORITY +root-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +k.root-servers.net. IN A +SECTION ANSWER +k.root-servers.net. IN A 193.0.14.129 +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +k.root-servers.net. IN AAAA +SECTION AUTHORITY +root-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +; gtld-servers.net. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gtld-servers.net. IN NS +SECTION ANSWER +gtld-servers.net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gtld-servers.net. IN A +SECTION AUTHORITY +gtld-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION ANSWER +a.gtld-servers.net. IN A 192.5.6.30 +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.gtld-servers.net. IN AAAA +SECTION AUTHORITY +gtld-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 1000 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; NS with address pointing into a private range must not be followed +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +attacker.com. IN A +SECTION AUTHORITY +attacker.com. IN NS ns.attacker.com. +SECTION ADDITIONAL +ns.attacker.com. IN A 192.168.3.5 +ENTRY_END +RANGE_END + +; ns.attacker.com. +RANGE_BEGIN 0 1000 + ADDRESS 19.168.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attacker.com. IN NS +SECTION ANSWER +attacker.com. IN NS ns.attacker.com. +SECTION ADDITIONAL +ns.attacker.com. IN A 192.168.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.attacker.com. IN A +SECTION ANSWER +www.attacker.com. IN A 192.0.2.55 +ENTRY_END +RANGE_END + + +; ns.example.com. +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 192.0.2.40 +ENTRY_END + +; blacklisted IP addresses +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-0-0-0-0.example.com. IN A +SECTION ANSWER +attack-ipv4-0-0-0-0.example.com. IN A 0.0.0.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-0-0-0-0.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-0-0-0-0.example.com. IN AAAA ::ffff:0.0.0.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-10-1-2-3.example.com. IN A +SECTION ANSWER +attack-ipv4-10-1-2-3.example.com. IN A 10.1.2.3 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-10-2-3-4.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-10-2-3-4.example.com. IN AAAA ::ffff:10.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-100-127-255-254.example.com. IN A +SECTION ANSWER +attack-ipv4-100-127-255-254.example.com. IN A 100.127.255.254 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-100-127-255-255.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-100-127-255-255.example.com. IN AAAA ::ffff:100.127.255.255 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-127-0-0-1.example.com. IN A +SECTION ANSWER +attack-ipv4-127-0-0-1.example.com. IN A 127.0.0.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-127-0-0-1.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-127-0-0-1.example.com. IN AAAA ::ffff:127.0.0.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-169-254-255-255.example.com. IN A +SECTION ANSWER +attack-ipv4-169-254-255-255.example.com. IN A 169.254.255.255 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-169-254-0-0.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-169-254-0-0.example.com. IN AAAA ::ffff:169.254.0.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-172-16-0-0.example.com. IN A +SECTION ANSWER +attack-ipv4-172-16-0-0.example.com. IN A 172.16.0.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-172-31-255-255.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-172-31-255-255.example.com. IN AAAA ::ffff:172.31.255.255 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4-192-168-3-8.example.com. IN A +SECTION ANSWER +attack-ipv4-192-168-3-8.example.com. IN A 192.168.3.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv4over6-192-168-254-210.example.com. IN AAAA +SECTION ANSWER +attack-ipv4over6-192-168-254-210.example.com. IN AAAA ::ffff:192.168.254.210 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv6-.example.com. IN AAAA +SECTION ANSWER +attack-ipv6-.example.com. IN AAAA :: +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv6-1.example.com. IN AAAA +SECTION ANSWER +attack-ipv6-1.example.com. IN AAAA ::1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv6-fc00.example.com. IN AAAA +SECTION ANSWER +attack-ipv6-fc00.example.com. IN AAAA fc00:: +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +attack-ipv6-fe80.example.com. IN AAAA +SECTION ANSWER +attack-ipv6-fe80.example.com. IN AAAA fe80:: +ENTRY_END + +RANGE_END + +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here, no blacklisted IP address is present +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 192.0.2.40 +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; test that 0.0.0.0 is blacklisted +STEP 201 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-0-0-0-0.example.com. IN A +ENTRY_END + +STEP 202 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-0-0-0-0.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:0.0.0.0 is blacklisted +STEP 211 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-0-0-0-0.example.com. IN AAAA +ENTRY_END + +STEP 212 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-0-0-0-0.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 10.1.2.3 is blacklisted +STEP 221 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-10-1-2-3.example.com. IN A +ENTRY_END + +STEP 222 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-10-1-2-3.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:10.2.3.4 is blacklisted +STEP 231 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-10-2-3-4.example.com. IN AAAA +ENTRY_END + +STEP 232 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-10-2-3-4.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 100.127.255.254 is blacklisted +STEP 241 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-100-127-255-254.example.com. IN A +ENTRY_END + +STEP 242 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-100-127-255-254.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:100.127.255.255 is blacklisted +STEP 251 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-100-127-255-255.example.com. IN AAAA +ENTRY_END + +STEP 252 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-100-127-255-255.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 127.0.0.1 is blacklisted +STEP 261 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-127-0-0-1.example.com. IN A +ENTRY_END + +STEP 262 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-127-0-0-1.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:127.0.0.1 is blacklisted +STEP 271 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-127-0-0-1.example.com. IN AAAA +ENTRY_END + +STEP 272 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-127-0-0-1.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 169.254.255.255 is blacklisted +STEP 281 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-169-254-255-255.example.com. IN A +ENTRY_END + +STEP 282 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-169-254-255-255.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:169.254.0.0 is blacklisted +STEP 291 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-169-254-0-0.example.com. IN AAAA +ENTRY_END + +STEP 292 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-169-254-0-0.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 172.16.0.0 is blacklisted +STEP 301 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-172-16-0-0.example.com. IN A +ENTRY_END + +STEP 302 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-172-16-0-0.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:172.31.255.255 is blacklisted +STEP 311 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-172-31-255-255.example.com. IN AAAA +ENTRY_END + +STEP 312 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-172-31-255-255.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that 192.168.3.8 is blacklisted +STEP 321 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4-192-168-3-8.example.com. IN A +ENTRY_END + +STEP 322 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4-192-168-3-8.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::ffff:192.168.254.210 is blacklisted +STEP 331 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv4over6-192-168-254-210.example.com. IN AAAA +ENTRY_END + +STEP 332 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv4over6-192-168-254-210.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that :: is blacklisted +STEP 341 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv6-.example.com. IN AAAA +ENTRY_END + +STEP 342 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv6-.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that ::1 is blacklisted +STEP 351 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv6-1.example.com. IN AAAA +ENTRY_END + +STEP 352 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv6-1.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that fc00:: is blacklisted +STEP 361 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv6-fc00.example.com. IN AAAA +ENTRY_END + +STEP 362 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv6-fc00.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +; test that fe80:: is blacklisted +STEP 371 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +attack-ipv6-fe80.example.com. IN AAAA +ENTRY_END + +STEP 372 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +attack-ipv6-fe80.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +STEP 401 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; it still works if no blacklisted IP address is present +STEP 402 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 192.0.2.40 +ENTRY_END + +STEP 501 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.attacker.com. IN A +ENTRY_END + +; NS for attacker.com. has IP address from private range, it must fail +STEP 502 CHECK_ANSWER +ENTRY_BEGIN +MATCH all answer authority +REPLY QR RD RA REFUSED +SECTION QUESTION +www.attacker.com. IN A +SECTION ANSWER +SECTION AUTHORITY +SECTION ADDITIONAL +explanation.invalid. TXT "blocked by DNS rebinding protection" +ENTRY_END + +SCENARIO_END |