do-ip6: no ; config options ;server: stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. CONFIG_END SCENARIO_BEGIN Outrageous number of auth servers return REFUSED. Simulates NXNSAttack misusing wildcard which points to victim's DNS server. Lua config checks if number of outgoing queries is within limits. ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION . IN NS SECTION ANSWER . IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION com. IN A SECTION AUTHORITY com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END RANGE_END ; a.gtld-servers.net. RANGE_BEGIN 0 100 ADDRESS 192.5.6.30 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION ANSWER com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION example.com. IN A SECTION AUTHORITY example.com. IN NS ns10.example.com. example.com. IN NS ns11.example.com. example.com. IN NS ns12.example.com. example.com. IN NS ns13.example.com. example.com. IN NS ns14.example.com. example.com. IN NS ns15.example.com. example.com. IN NS ns16.example.com. example.com. IN NS ns17.example.com. example.com. IN NS ns18.example.com. example.com. IN NS ns19.example.com. SECTION ADDITIONAL ns10.example.com. IN A 1.2.3.10 ns11.example.com. IN A 1.2.3.11 ns12.example.com. IN A 1.2.3.12 ns13.example.com. IN A 1.2.3.13 ns14.example.com. IN A 1.2.3.14 ns15.example.com. IN A 1.2.3.15 ns16.example.com. IN A 1.2.3.16 ns17.example.com. IN A 1.2.3.17 ns18.example.com. IN A 1.2.3.18 ns19.example.com. IN A 1.2.3.19 ENTRY_END RANGE_END ; ns1.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.10 ADDRESS 1.2.3.11 ADDRESS 1.2.3.12 ADDRESS 1.2.3.13 ADDRESS 1.2.3.14 ADDRESS 1.2.3.15 ADDRESS 1.2.3.16 ADDRESS 1.2.3.17 ADDRESS 1.2.3.18 ADDRESS 1.2.3.19 ENTRY_BEGIN MANDATORY MATCH opcode qtype qname ADJUST copy_id REPLY QR AA REFUSED SECTION QUESTION www.example.com. IN A SECTION ANSWER SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END RANGE_END ; recursion happens here STEP 10 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION www.example.com. IN A ENTRY_END ; in any case we must get SERVFAIL, no auth works STEP 11 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END ; recursion happens here STEP 20 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION refused.trigger.check.max.number.of.upstream.queries. IN TXT ENTRY_END STEP 21 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR AA RD RA NOERROR SECTION QUESTION refused.trigger.check.max.number.of.upstream.queries. IN TXT SECTION ANSWER refused.trigger.check.max.number.of.upstream.queries. IN TXT "pass" SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END SCENARIO_END