1; config options 2server: 3 harden-referral-path: yes 4 target-fetch-policy: "0 0 0 0 0" 5 qname-minimisation: "no" 6 minimal-responses: no 7stub-zone: 8 name: "." 9 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 10CONFIG_END 11 12SCENARIO_BEGIN Test NS record spoof protection. 13 14; K.ROOT-SERVERS.NET. 15RANGE_BEGIN 0 100 16 ADDRESS 193.0.14.129 17ENTRY_BEGIN 18MATCH opcode qtype qname 19ADJUST copy_id 20REPLY QR NOERROR 21SECTION QUESTION 22. IN NS 23SECTION ANSWER 24. IN NS K.ROOT-SERVERS.NET. 25SECTION ADDITIONAL 26K.ROOT-SERVERS.NET. IN A 193.0.14.129 27ENTRY_END 28 29ENTRY_BEGIN 30MATCH opcode subdomain 31ADJUST copy_id copy_query 32REPLY QR NOERROR 33SECTION QUESTION 34com. IN NS 35SECTION AUTHORITY 36com. IN NS a.gtld-servers.net. 37SECTION ADDITIONAL 38a.gtld-servers.net. IN A 192.5.6.30 39ENTRY_END 40 41; for simplicity the root server is authoritative for root-servers.net 42; and also for gtld-servers.net 43ENTRY_BEGIN 44MATCH opcode qtype qname 45ADJUST copy_id 46REPLY QR AA NOERROR 47SECTION QUESTION 48K.ROOT-SERVERS.NET. IN A 49SECTION ANSWER 50K.ROOT-SERVERS.NET. IN A 193.0.14.129 51ENTRY_END 52 53ENTRY_BEGIN 54MATCH opcode qtype qname 55ADJUST copy_id 56REPLY QR AA NOERROR 57SECTION QUESTION 58a.gtld-servers.net. IN A 59SECTION ANSWER 60a.gtld-servers.net. IN A 192.5.6.30 61ENTRY_END 62 63RANGE_END 64 65; a.gtld-servers.net. 66RANGE_BEGIN 0 100 67 ADDRESS 192.5.6.30 68ENTRY_BEGIN 69MATCH opcode subdomain 70ADJUST copy_id copy_query 71REPLY QR NOERROR 72SECTION QUESTION 73example.com. IN NS 74SECTION AUTHORITY 75example.com. IN NS ns.example.com. 76SECTION ADDITIONAL 77ns.example.com. IN A 1.2.3.4 78ENTRY_END 79 80ENTRY_BEGIN 81MATCH opcode qtype qname 82ADJUST copy_id 83REPLY QR NOERROR 84SECTION QUESTION 85com. IN NS 86SECTION ANSWER 87com. IN NS a.gtld-servers.net. 88SECTION ADDITIONAL 89a.gtld-servers.net. IN A 192.5.6.30 90ENTRY_END 91RANGE_END 92 93; ns.example.com. 94RANGE_BEGIN 0 100 95 ADDRESS 1.2.3.4 96ENTRY_BEGIN 97MATCH opcode qtype qname 98ADJUST copy_id 99REPLY QR NOERROR 100SECTION QUESTION 101www.example.com. IN A 102SECTION ANSWER 103www.example.com. IN A 10.20.30.40 104SECTION AUTHORITY 105example.com. IN NS ns.example.com. 106SECTION ADDITIONAL 107ns.example.com. IN A 1.2.3.4 108ENTRY_END 109 110ENTRY_BEGIN 111MATCH opcode qtype qname 112ADJUST copy_id 113REPLY QR NOERROR 114SECTION QUESTION 115mail.example.com. IN A 116SECTION ANSWER 117mail.example.com. IN A 10.20.30.50 118SECTION AUTHORITY 119example.com. IN NS ns.example.com. 120SECTION ADDITIONAL 121ns.example.com. IN A 1.2.3.4 122ENTRY_END 123 124ENTRY_BEGIN 125MATCH opcode qtype qname 126ADJUST copy_id 127REPLY QR AA NOERROR 128SECTION QUESTION 129example.com. IN NS 130SECTION ANSWER 131example.com. IN NS ns.example.com. 132SECTION ADDITIONAL 133ns.example.com. IN A 1.2.3.4 134ENTRY_END 135 136ENTRY_BEGIN 137MATCH opcode qtype qname 138ADJUST copy_id 139REPLY QR AA NOERROR 140SECTION QUESTION 141ns.example.com. IN A 142SECTION ANSWER 143ns.example.com. IN A 1.2.3.4 144SECTION AUTHORITY 145example.com. IN NS ns.example.com. 146ENTRY_END 147 148;; answer to the spoofed query ; spoofed reply answer. 149; here we put it in the nameserver for ease. 150ENTRY_BEGIN 151MATCH opcode qtype qname 152ADJUST copy_id 153REPLY QR NOERROR 154SECTION QUESTION 155bad123.example.com. IN A 156SECTION ANSWER 157bad123.example.com. IN A 6.6.6.6 158SECTION AUTHORITY 159; evil NS set. 160example.com. IN NS bad123.example.com. 161ENTRY_END 162 163RANGE_END 164 165; evil server 166RANGE_BEGIN 0 100 167 ADDRESS 6.6.6.6 168ENTRY_BEGIN 169MATCH opcode qtype qname 170ADJUST copy_id 171REPLY QR NOERROR 172SECTION QUESTION 173www.example.com. IN A 174SECTION ANSWER 175www.example.com. IN A 6.6.6.6 176SECTION AUTHORITY 177example.com. IN NS bad123.example.com. 178SECTION ADDITIONAL 179bad123.example.com. IN A 6.6.6.6 180ENTRY_END 181 182ENTRY_BEGIN 183MATCH opcode qtype qname 184ADJUST copy_id 185REPLY QR NOERROR 186SECTION QUESTION 187mail.example.com. IN A 188SECTION ANSWER 189mail.example.com. IN A 6.6.6.6 190SECTION AUTHORITY 191example.com. IN NS bad123.example.com. 192SECTION ADDITIONAL 193bad123.example.com. IN A 6.6.6.6 194ENTRY_END 195 196ENTRY_BEGIN 197MATCH opcode qtype qname 198ADJUST copy_id 199REPLY QR NOERROR 200SECTION QUESTION 201bad123.example.com. IN A 202SECTION ANSWER 203bad123.example.com. IN A 6.6.6.6 204SECTION AUTHORITY 205; evil NS set. 206example.com. IN NS bad123.example.com. 207ENTRY_END 208RANGE_END 209 210STEP 1 QUERY 211ENTRY_BEGIN 212REPLY RD 213SECTION QUESTION 214www.example.com. IN A 215ENTRY_END 216 217; recursion happens here. 218STEP 10 CHECK_ANSWER 219ENTRY_BEGIN 220MATCH all 221REPLY QR RD RA NOERROR 222SECTION QUESTION 223www.example.com. IN A 224SECTION ANSWER 225www.example.com. IN A 10.20.30.40 226SECTION AUTHORITY 227example.com. IN NS ns.example.com. 228SECTION ADDITIONAL 229ns.example.com. IN A 1.2.3.4 230ENTRY_END 231 232; spoofed query 233STEP 20 QUERY 234ENTRY_BEGIN 235REPLY RD 236SECTION QUESTION 237bad123.example.com. IN A 238ENTRY_END 239 240; recursion happens here. 241STEP 30 CHECK_ANSWER 242ENTRY_BEGIN 243; no matching here, just accept the answer to the spoofed query. 244; it is wrong, but only one query ... 245; this test is to check further on, that we still have the right nameserver. 246;MATCH all 247REPLY QR RD RA NOERROR 248SECTION QUESTION 249bad123.example.com. IN A 250SECTION ANSWER 251bad123.example.com. IN A 6.6.6.6 252SECTION AUTHORITY 253example.com. IN NS ns.example.com. 254SECTION ADDITIONAL 255ns.example.com. IN A 1.2.3.4 256ENTRY_END 257 258; a new query 259STEP 40 QUERY 260ENTRY_BEGIN 261REPLY RD 262SECTION QUESTION 263mail.example.com. IN A 264ENTRY_END 265 266STEP 50 CHECK_ANSWER 267ENTRY_BEGIN 268MATCH all 269REPLY QR RD RA NOERROR 270SECTION QUESTION 271mail.example.com. IN A 272SECTION ANSWER 273mail.example.com. IN A 10.20.30.50 274SECTION AUTHORITY 275example.com. IN NS ns.example.com. 276SECTION ADDITIONAL 277ns.example.com. IN A 1.2.3.4 278ENTRY_END 279 280SCENARIO_END 281