lib/layer/test.integr/iter_limit_refuse.rpl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

do-ip6: no
; config options
;server:
	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
CONFIG_END

SCENARIO_BEGIN Outrageous number of auth servers return REFUSED. Simulates NXNSAttack misusing wildcard which points to victim's DNS server. Lua config checks if number of outgoing queries is within limits.

; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
	ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS	K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN A
SECTION AUTHORITY
com.	IN NS	a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net.	IN 	A	192.5.6.30
ENTRY_END
RANGE_END

; a.gtld-servers.net.
RANGE_BEGIN 0 100
	ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
com. IN NS
SECTION ANSWER
com.    IN NS   a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net.     IN      A       192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
example.com. IN A
SECTION AUTHORITY
example.com.	IN NS	ns10.example.com.
example.com.	IN NS	ns11.example.com.
example.com.	IN NS	ns12.example.com.
example.com.	IN NS	ns13.example.com.
example.com.	IN NS	ns14.example.com.
example.com.	IN NS	ns15.example.com.
example.com.	IN NS	ns16.example.com.
example.com.	IN NS	ns17.example.com.
example.com.	IN NS	ns18.example.com.
example.com.	IN NS	ns19.example.com.
SECTION ADDITIONAL
ns10.example.com.		IN 	A	1.2.3.10
ns11.example.com.		IN 	A	1.2.3.11
ns12.example.com.		IN 	A	1.2.3.12
ns13.example.com.		IN 	A	1.2.3.13
ns14.example.com.		IN 	A	1.2.3.14
ns15.example.com.		IN 	A	1.2.3.15
ns16.example.com.		IN 	A	1.2.3.16
ns17.example.com.		IN 	A	1.2.3.17
ns18.example.com.		IN 	A	1.2.3.18
ns19.example.com.		IN 	A	1.2.3.19

ENTRY_END
RANGE_END

; ns1.example.com.
RANGE_BEGIN 0 100
	ADDRESS 1.2.3.10
	ADDRESS 1.2.3.11
	ADDRESS 1.2.3.12
	ADDRESS 1.2.3.13
	ADDRESS 1.2.3.14
	ADDRESS 1.2.3.15
	ADDRESS 1.2.3.16
	ADDRESS 1.2.3.17
	ADDRESS 1.2.3.18
	ADDRESS 1.2.3.19
ENTRY_BEGIN
MANDATORY
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA REFUSED
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
RANGE_END


; recursion happens here
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END

; in any case we must get SERVFAIL, no auth works
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END

; recursion happens here
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
refused.trigger.check.max.number.of.upstream.queries. IN TXT
ENTRY_END

STEP 21 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR AA RD RA NOERROR
SECTION QUESTION
refused.trigger.check.max.number.of.upstream.queries. IN TXT
SECTION ANSWER
refused.trigger.check.max.number.of.upstream.queries. IN TXT "pass"
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END

SCENARIO_END