mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
e0745813f4
resilience of the server. The so-reuseport, harden-below-nxdomain, and minimal-responses options are enabled by default. They used to be disabled by default, waiting to make sure they worked. They are enabled by default now, and can be disabled explicitly by setting them to "no" in the unbound.conf config file. The reuseport and minimal options increases speed of the server, and should be otherwise harmless. The harden-below-nxdomain option works well together with the recently default enabled qname minimisation, this causes more fetches to use information from the cache. git-svn-id: file:///svn/unbound/trunk@4871 be551aaa-1e26-0410-a405-d3ace91eadb9
281 lines
5.2 KiB
Plaintext
281 lines
5.2 KiB
Plaintext
; config options
|
|
server:
|
|
harden-referral-path: yes
|
|
target-fetch-policy: "0 0 0 0 0"
|
|
qname-minimisation: "no"
|
|
minimal-responses: no
|
|
stub-zone:
|
|
name: "."
|
|
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
|
CONFIG_END
|
|
|
|
SCENARIO_BEGIN Test NS record spoof protection.
|
|
|
|
; K.ROOT-SERVERS.NET.
|
|
RANGE_BEGIN 0 100
|
|
ADDRESS 193.0.14.129
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
. IN NS
|
|
SECTION ANSWER
|
|
. IN NS K.ROOT-SERVERS.NET.
|
|
SECTION ADDITIONAL
|
|
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode subdomain
|
|
ADJUST copy_id copy_query
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
com. IN NS
|
|
SECTION AUTHORITY
|
|
com. IN NS a.gtld-servers.net.
|
|
SECTION ADDITIONAL
|
|
a.gtld-servers.net. IN A 192.5.6.30
|
|
ENTRY_END
|
|
|
|
; for simplicity the root server is authoritative for root-servers.net
|
|
; and also for gtld-servers.net
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR AA NOERROR
|
|
SECTION QUESTION
|
|
K.ROOT-SERVERS.NET. IN A
|
|
SECTION ANSWER
|
|
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR AA NOERROR
|
|
SECTION QUESTION
|
|
a.gtld-servers.net. IN A
|
|
SECTION ANSWER
|
|
a.gtld-servers.net. IN A 192.5.6.30
|
|
ENTRY_END
|
|
|
|
RANGE_END
|
|
|
|
; a.gtld-servers.net.
|
|
RANGE_BEGIN 0 100
|
|
ADDRESS 192.5.6.30
|
|
ENTRY_BEGIN
|
|
MATCH opcode subdomain
|
|
ADJUST copy_id copy_query
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
example.com. IN NS
|
|
SECTION AUTHORITY
|
|
example.com. IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
com. IN NS
|
|
SECTION ANSWER
|
|
com. IN NS a.gtld-servers.net.
|
|
SECTION ADDITIONAL
|
|
a.gtld-servers.net. IN A 192.5.6.30
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; ns.example.com.
|
|
RANGE_BEGIN 0 100
|
|
ADDRESS 1.2.3.4
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. IN A 10.20.30.40
|
|
SECTION AUTHORITY
|
|
example.com. IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
mail.example.com. IN A
|
|
SECTION ANSWER
|
|
mail.example.com. IN A 10.20.30.50
|
|
SECTION AUTHORITY
|
|
example.com. IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR AA NOERROR
|
|
SECTION QUESTION
|
|
example.com. IN NS
|
|
SECTION ANSWER
|
|
example.com. IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR AA NOERROR
|
|
SECTION QUESTION
|
|
ns.example.com. IN A
|
|
SECTION ANSWER
|
|
ns.example.com. IN A 1.2.3.4
|
|
SECTION AUTHORITY
|
|
example.com. IN NS ns.example.com.
|
|
ENTRY_END
|
|
|
|
;; answer to the spoofed query ; spoofed reply answer.
|
|
; here we put it in the nameserver for ease.
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
bad123.example.com. IN A
|
|
SECTION ANSWER
|
|
bad123.example.com. IN A 6.6.6.6
|
|
SECTION AUTHORITY
|
|
; evil NS set.
|
|
example.com. IN NS bad123.example.com.
|
|
ENTRY_END
|
|
|
|
RANGE_END
|
|
|
|
; evil server
|
|
RANGE_BEGIN 0 100
|
|
ADDRESS 6.6.6.6
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. IN A 6.6.6.6
|
|
SECTION AUTHORITY
|
|
example.com. IN NS bad123.example.com.
|
|
SECTION ADDITIONAL
|
|
bad123.example.com. IN A 6.6.6.6
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
mail.example.com. IN A
|
|
SECTION ANSWER
|
|
mail.example.com. IN A 6.6.6.6
|
|
SECTION AUTHORITY
|
|
example.com. IN NS bad123.example.com.
|
|
SECTION ADDITIONAL
|
|
bad123.example.com. IN A 6.6.6.6
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
bad123.example.com. IN A
|
|
SECTION ANSWER
|
|
bad123.example.com. IN A 6.6.6.6
|
|
SECTION AUTHORITY
|
|
; evil NS set.
|
|
example.com. IN NS bad123.example.com.
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
STEP 1 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
|
|
; recursion happens here.
|
|
STEP 10 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. IN A 10.20.30.40
|
|
SECTION AUTHORITY
|
|
example.com. IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
; spoofed query
|
|
STEP 20 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
bad123.example.com. IN A
|
|
ENTRY_END
|
|
|
|
; recursion happens here.
|
|
STEP 30 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
; no matching here, just accept the answer to the spoofed query.
|
|
; it is wrong, but only one query ...
|
|
; this test is to check further on, that we still have the right nameserver.
|
|
;MATCH all
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
bad123.example.com. IN A
|
|
SECTION ANSWER
|
|
bad123.example.com. IN A 6.6.6.6
|
|
SECTION AUTHORITY
|
|
example.com. IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
; a new query
|
|
STEP 40 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
mail.example.com. IN A
|
|
ENTRY_END
|
|
|
|
STEP 50 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
mail.example.com. IN A
|
|
SECTION ANSWER
|
|
mail.example.com. IN A 10.20.30.50
|
|
SECTION AUTHORITY
|
|
example.com. IN NS ns.example.com.
|
|
SECTION ADDITIONAL
|
|
ns.example.com. IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
SCENARIO_END
|