1; config options 2server: 3 harden-referral-path: yes 4 target-fetch-policy: "0 0 0 0 0" 5stub-zone: 6 name: "." 7 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 8CONFIG_END 9 10SCENARIO_BEGIN Test NS record spoof protection. 11 12; K.ROOT-SERVERS.NET. 13RANGE_BEGIN 0 100 14 ADDRESS 193.0.14.129 15ENTRY_BEGIN 16MATCH opcode qtype qname 17ADJUST copy_id 18REPLY QR NOERROR 19SECTION QUESTION 20. IN NS 21SECTION ANSWER 22. IN NS K.ROOT-SERVERS.NET. 23SECTION ADDITIONAL 24K.ROOT-SERVERS.NET. IN A 193.0.14.129 25ENTRY_END 26 27ENTRY_BEGIN 28MATCH opcode subdomain 29ADJUST copy_id copy_query 30REPLY QR NOERROR 31SECTION QUESTION 32com. IN NS 33SECTION AUTHORITY 34com. IN NS a.gtld-servers.net. 35SECTION ADDITIONAL 36a.gtld-servers.net. IN A 192.5.6.30 37ENTRY_END 38 39; for simplicity the root server is authoritative for root-servers.net 40; and also for gtld-servers.net 41ENTRY_BEGIN 42MATCH opcode qtype qname 43ADJUST copy_id 44REPLY QR AA NOERROR 45SECTION QUESTION 46K.ROOT-SERVERS.NET. IN A 47SECTION ANSWER 48K.ROOT-SERVERS.NET. IN A 193.0.14.129 49ENTRY_END 50 51ENTRY_BEGIN 52MATCH opcode qtype qname 53ADJUST copy_id 54REPLY QR AA NOERROR 55SECTION QUESTION 56a.gtld-servers.net. IN A 57SECTION ANSWER 58a.gtld-servers.net. IN A 192.5.6.30 59ENTRY_END 60 61RANGE_END 62 63; a.gtld-servers.net. 64RANGE_BEGIN 0 100 65 ADDRESS 192.5.6.30 66ENTRY_BEGIN 67MATCH opcode subdomain 68ADJUST copy_id copy_query 69REPLY QR NOERROR 70SECTION QUESTION 71example.com. IN NS 72SECTION AUTHORITY 73example.com. IN NS ns.example.com. 74SECTION ADDITIONAL 75ns.example.com. IN A 1.2.3.4 76ENTRY_END 77 78ENTRY_BEGIN 79MATCH opcode qtype qname 80ADJUST copy_id 81REPLY QR NOERROR 82SECTION QUESTION 83com. IN NS 84SECTION ANSWER 85com. IN NS a.gtld-servers.net. 86SECTION ADDITIONAL 87a.gtld-servers.net. IN A 192.5.6.30 88ENTRY_END 89RANGE_END 90 91; ns.example.com. 92RANGE_BEGIN 0 100 93 ADDRESS 1.2.3.4 94ENTRY_BEGIN 95MATCH opcode qtype qname 96ADJUST copy_id 97REPLY QR NOERROR 98SECTION QUESTION 99www.example.com. IN A 100SECTION ANSWER 101www.example.com. IN A 10.20.30.40 102SECTION AUTHORITY 103example.com. IN NS ns.example.com. 104SECTION ADDITIONAL 105ns.example.com. IN A 1.2.3.4 106ENTRY_END 107 108ENTRY_BEGIN 109MATCH opcode qtype qname 110ADJUST copy_id 111REPLY QR NOERROR 112SECTION QUESTION 113mail.example.com. IN A 114SECTION ANSWER 115mail.example.com. IN A 10.20.30.50 116SECTION AUTHORITY 117example.com. IN NS ns.example.com. 118SECTION ADDITIONAL 119ns.example.com. IN A 1.2.3.4 120ENTRY_END 121 122ENTRY_BEGIN 123MATCH opcode qtype qname 124ADJUST copy_id 125REPLY QR AA NOERROR 126SECTION QUESTION 127example.com. IN NS 128SECTION ANSWER 129example.com. IN NS ns.example.com. 130SECTION ADDITIONAL 131ns.example.com. IN A 1.2.3.4 132ENTRY_END 133 134ENTRY_BEGIN 135MATCH opcode qtype qname 136ADJUST copy_id 137REPLY QR AA NOERROR 138SECTION QUESTION 139ns.example.com. IN A 140SECTION ANSWER 141ns.example.com. IN A 1.2.3.4 142SECTION AUTHORITY 143example.com. IN NS ns.example.com. 144ENTRY_END 145 146;; answer to the spoofed query ; spoofed reply answer. 147; here we put it in the nameserver for ease. 148ENTRY_BEGIN 149MATCH opcode qtype qname 150ADJUST copy_id 151REPLY QR NOERROR 152SECTION QUESTION 153bad123.example.com. IN A 154SECTION ANSWER 155bad123.example.com. IN A 6.6.6.6 156SECTION AUTHORITY 157; evil NS set. 158example.com. IN NS bad123.example.com. 159ENTRY_END 160 161RANGE_END 162 163; evil server 164RANGE_BEGIN 0 100 165 ADDRESS 6.6.6.6 166ENTRY_BEGIN 167MATCH opcode qtype qname 168ADJUST copy_id 169REPLY QR NOERROR 170SECTION QUESTION 171www.example.com. IN A 172SECTION ANSWER 173www.example.com. IN A 6.6.6.6 174SECTION AUTHORITY 175example.com. IN NS bad123.example.com. 176SECTION ADDITIONAL 177bad123.example.com. IN A 6.6.6.6 178ENTRY_END 179 180ENTRY_BEGIN 181MATCH opcode qtype qname 182ADJUST copy_id 183REPLY QR NOERROR 184SECTION QUESTION 185mail.example.com. IN A 186SECTION ANSWER 187mail.example.com. IN A 6.6.6.6 188SECTION AUTHORITY 189example.com. IN NS bad123.example.com. 190SECTION ADDITIONAL 191bad123.example.com. IN A 6.6.6.6 192ENTRY_END 193 194ENTRY_BEGIN 195MATCH opcode qtype qname 196ADJUST copy_id 197REPLY QR NOERROR 198SECTION QUESTION 199bad123.example.com. IN A 200SECTION ANSWER 201bad123.example.com. IN A 6.6.6.6 202SECTION AUTHORITY 203; evil NS set. 204example.com. IN NS bad123.example.com. 205ENTRY_END 206RANGE_END 207 208STEP 1 QUERY 209ENTRY_BEGIN 210REPLY RD 211SECTION QUESTION 212www.example.com. IN A 213ENTRY_END 214 215; recursion happens here. 216STEP 10 CHECK_ANSWER 217ENTRY_BEGIN 218MATCH all 219REPLY QR RD RA NOERROR 220SECTION QUESTION 221www.example.com. IN A 222SECTION ANSWER 223www.example.com. IN A 10.20.30.40 224SECTION AUTHORITY 225example.com. IN NS ns.example.com. 226SECTION ADDITIONAL 227ns.example.com. IN A 1.2.3.4 228ENTRY_END 229 230; spoofed query 231STEP 20 QUERY 232ENTRY_BEGIN 233REPLY RD 234SECTION QUESTION 235bad123.example.com. IN A 236ENTRY_END 237 238; recursion happens here. 239STEP 30 CHECK_ANSWER 240ENTRY_BEGIN 241; no matching here, just accept the answer to the spoofed query. 242; it is wrong, but only one query ... 243; this test is to check further on, that we still have the right nameserver. 244;MATCH all 245REPLY QR RD RA NOERROR 246SECTION QUESTION 247bad123.example.com. IN A 248SECTION ANSWER 249bad123.example.com. IN A 6.6.6.6 250SECTION AUTHORITY 251example.com. IN NS ns.example.com. 252SECTION ADDITIONAL 253ns.example.com. IN A 1.2.3.4 254ENTRY_END 255 256; a new query 257STEP 40 QUERY 258ENTRY_BEGIN 259REPLY RD 260SECTION QUESTION 261mail.example.com. IN A 262ENTRY_END 263 264STEP 50 CHECK_ANSWER 265ENTRY_BEGIN 266MATCH all 267REPLY QR RD RA NOERROR 268SECTION QUESTION 269mail.example.com. IN A 270SECTION ANSWER 271mail.example.com. IN A 10.20.30.50 272SECTION AUTHORITY 273example.com. IN NS ns.example.com. 274SECTION ADDITIONAL 275ns.example.com. IN A 1.2.3.4 276ENTRY_END 277 278SCENARIO_END 279