mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- Fix rpz for qtype CNAME after nameserver trigger.
This commit is contained in:
W.C.A. Wijngaards
parent
e46b188fe8
commit
8dbf46913b
@ -5,6 +5,7 @@
|
||||
- Fix rpz that copies the cname override completely to the temp
|
||||
region, so there are no references to the rpz region.
|
||||
- Add rpz unit test for nsip action override.
|
||||
- Fix rpz for qtype CNAME after nameserver trigger.
|
||||
|
||||
15 March 2024: Yorgos
|
||||
- Merge #1030: Persist the openssl and expat directories for repeated
|
||||
|
||||
@ -1458,6 +1458,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
forged_response->rep, iq->qchase.qname,
|
||||
iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
|
||||
iq->qchase.qclass) &&
|
||||
iq->qchase.qtype != LDNS_RR_TYPE_CNAME &&
|
||||
count++ < ie->max_query_restarts) {
|
||||
/* another cname to follow */
|
||||
if(!handle_cname_response(qstate, iq, forged_response,
|
||||
@ -2750,7 +2751,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
if(qstate->env->auth_zones) {
|
||||
uint8_t* sname = NULL;
|
||||
size_t snamelen = 0;
|
||||
/* apply rpz triggers at query time */
|
||||
/* apply rpz triggers at query time; nameserver IP and dname */
|
||||
struct dns_msg* forged_response_after_cname;
|
||||
struct dns_msg* forged_response = rpz_callback_from_iterator_module(qstate, iq);
|
||||
int count = 0;
|
||||
@ -2758,6 +2759,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
forged_response->rep, iq->qchase.qname,
|
||||
iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
|
||||
iq->qchase.qclass) &&
|
||||
iq->qchase.qtype != LDNS_RR_TYPE_CNAME &&
|
||||
count++ < ie->max_query_restarts) {
|
||||
/* another cname to follow */
|
||||
if(!handle_cname_response(qstate, iq, forged_response,
|
||||
@ -3391,6 +3393,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
forged_response->rep, iq->qchase.qname,
|
||||
iq->qchase.qname_len, LDNS_RR_TYPE_CNAME,
|
||||
iq->qchase.qclass) &&
|
||||
iq->qchase.qtype != LDNS_RR_TYPE_CNAME &&
|
||||
count++ < ie->max_query_restarts) {
|
||||
/* another cname to follow */
|
||||
if(!handle_cname_response(qstate, iq, forged_response,
|
||||
|
||||
120
testdata/rpz_qtype_cname.rpl
vendored
Normal file
120
testdata/rpz_qtype_cname.rpl
vendored
Normal file
@ -0,0 +1,120 @@
|
||||
; config options
|
||||
server:
|
||||
module-config: "respip validator iterator"
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: no
|
||||
access-control: 192.0.0.0/8 allow
|
||||
|
||||
rpz:
|
||||
name: "rpz.example.com."
|
||||
rpz-log: yes
|
||||
rpz-log-name: "rpz.example.com"
|
||||
zonefile:
|
||||
TEMPFILE_NAME rpz.example.com
|
||||
TEMPFILE_CONTENTS rpz.example.com
|
||||
$ORIGIN example.com.
|
||||
rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
|
||||
1379078166 28800 7200 604800 7200 )
|
||||
3600 IN NS ns1.rpz.example.com.
|
||||
3600 IN NS ns2.rpz.example.com.
|
||||
$ORIGIN rpz.example.com.
|
||||
www.gotham.a CNAME foo.target.a.
|
||||
32.42.30.20.10.rpz-nsip CNAME foo.target.a.
|
||||
TEMPFILE_END
|
||||
|
||||
stub-zone:
|
||||
name: "a."
|
||||
stub-addr: 10.20.30.40
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test RPZ with qtype CNAME.
|
||||
|
||||
; a.
|
||||
RANGE_BEGIN 0 1000
|
||||
ADDRESS 10.20.30.40
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.gotham.a. IN A
|
||||
SECTION AUTHORITY
|
||||
gotham.a. NS ns1.gotham.a.
|
||||
SECTION ADDITIONAL
|
||||
ns1.gotham.a. A 10.20.30.41
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
gotham2.a. IN NS
|
||||
SECTION AUTHORITY
|
||||
gotham2.a. NS ns1.gotham2.a.
|
||||
SECTION ADDITIONAL
|
||||
ns1.gotham2.a. A 10.20.30.42
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
target.a. IN A
|
||||
SECTION ANSWER
|
||||
target.a. IN A 1.2.3.6
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; gotham2.a.
|
||||
RANGE_BEGIN 0 1000
|
||||
ADDRESS 10.20.30.42
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.gotham2.a. IN CNAME
|
||||
SECTION ANSWER
|
||||
www.gotham2.a. CNAME foo2.target.a.
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; Query for type CNAME, from the RPZ response
|
||||
STEP 10 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.gotham.a. IN CNAME
|
||||
ENTRY_END
|
||||
|
||||
STEP 11 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AA
|
||||
SECTION QUESTION
|
||||
www.gotham.a. IN CNAME
|
||||
SECTION ANSWER
|
||||
www.gotham.a. IN CNAME foo.target.a.
|
||||
ENTRY_END
|
||||
|
||||
; Query for type CNAME, the answer is nameserver lookup, CNAME from rpz nsip.
|
||||
STEP 20 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.gotham2.a. IN CNAME
|
||||
ENTRY_END
|
||||
|
||||
STEP 21 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.gotham2.a. IN CNAME
|
||||
SECTION ANSWER
|
||||
www.gotham2.a. IN CNAME foo.target.a.
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
||||
Loading…
Reference in New Issue
Block a user