Home | History | Annotate | Line # | Download | only in testdata 
      1 ; config options
      2 server:
      3 	harden-referral-path: yes
      4 	target-fetch-policy: "0 0 0 0 0"
      5 	qname-minimisation: "no"
      6 	minimal-responses: no
      7 	iter-scrub-promiscuous: no
      8 stub-zone:
      9 	name: "."
     10 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
     11 CONFIG_END
     12 
     13 SCENARIO_BEGIN Test NS record spoof protection.
     14 
     15 ; K.ROOT-SERVERS.NET.
     16 RANGE_BEGIN 0 100
     17 	ADDRESS 193.0.14.129 
     18 ENTRY_BEGIN
     19 MATCH opcode qtype qname
     20 ADJUST copy_id
     21 REPLY QR NOERROR
     22 SECTION QUESTION
     23 . IN NS
     24 SECTION ANSWER
     25 . IN NS	K.ROOT-SERVERS.NET.
     26 SECTION ADDITIONAL
     27 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
     28 ENTRY_END
     29 
     30 ENTRY_BEGIN
     31 MATCH opcode subdomain
     32 ADJUST copy_id copy_query
     33 REPLY QR NOERROR
     34 SECTION QUESTION
     35 com.	IN NS
     36 SECTION AUTHORITY
     37 com.	IN NS	a.gtld-servers.net.
     38 SECTION ADDITIONAL
     39 a.gtld-servers.net.	IN 	A	192.5.6.30
     40 ENTRY_END
     41 
     42 ; for simplicity the root server is authoritative for root-servers.net
     43 ; and also for gtld-servers.net
     44 ENTRY_BEGIN
     45 MATCH opcode qtype qname
     46 ADJUST copy_id
     47 REPLY QR AA NOERROR
     48 SECTION QUESTION
     49 K.ROOT-SERVERS.NET.	IN	A
     50 SECTION ANSWER
     51 K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
     52 ENTRY_END
     53 
     54 ENTRY_BEGIN
     55 MATCH opcode qtype qname
     56 ADJUST copy_id
     57 REPLY QR AA NOERROR
     58 SECTION QUESTION
     59 a.gtld-servers.net.	IN 	A
     60 SECTION ANSWER
     61 a.gtld-servers.net.	IN 	A	192.5.6.30
     62 ENTRY_END
     63 
     64 RANGE_END
     65 
     66 ; a.gtld-servers.net.
     67 RANGE_BEGIN 0 100
     68 	ADDRESS 192.5.6.30
     69 ENTRY_BEGIN
     70 MATCH opcode subdomain
     71 ADJUST copy_id copy_query
     72 REPLY QR NOERROR
     73 SECTION QUESTION
     74 example.com.	IN NS
     75 SECTION AUTHORITY
     76 example.com.	IN NS	ns.example.com.
     77 SECTION ADDITIONAL
     78 ns.example.com.		IN 	A	1.2.3.4
     79 ENTRY_END
     80 
     81 ENTRY_BEGIN
     82 MATCH opcode qtype qname
     83 ADJUST copy_id
     84 REPLY QR NOERROR
     85 SECTION QUESTION
     86 com.	IN NS
     87 SECTION ANSWER
     88 com.	IN NS	a.gtld-servers.net.
     89 SECTION ADDITIONAL
     90 a.gtld-servers.net.	IN 	A	192.5.6.30
     91 ENTRY_END
     92 RANGE_END
     93 
     94 ; ns.example.com.
     95 RANGE_BEGIN 0 100
     96 	ADDRESS 1.2.3.4
     97 ENTRY_BEGIN
     98 MATCH opcode qtype qname
     99 ADJUST copy_id
    100 REPLY QR NOERROR
    101 SECTION QUESTION
    102 www.example.com. IN A
    103 SECTION ANSWER
    104 www.example.com. IN A	10.20.30.40
    105 SECTION AUTHORITY
    106 example.com.	IN NS	ns.example.com.
    107 SECTION ADDITIONAL
    108 ns.example.com.		IN 	A	1.2.3.4
    109 ENTRY_END
    110 
    111 ENTRY_BEGIN
    112 MATCH opcode qtype qname
    113 ADJUST copy_id
    114 REPLY QR NOERROR
    115 SECTION QUESTION
    116 mail.example.com. IN A
    117 SECTION ANSWER
    118 mail.example.com. IN A	10.20.30.50
    119 SECTION AUTHORITY
    120 example.com.	IN NS	ns.example.com.
    121 SECTION ADDITIONAL
    122 ns.example.com.		IN 	A	1.2.3.4
    123 ENTRY_END
    124 
    125 ENTRY_BEGIN
    126 MATCH opcode qtype qname
    127 ADJUST copy_id
    128 REPLY QR AA NOERROR
    129 SECTION QUESTION
    130 example.com. IN NS
    131 SECTION ANSWER
    132 example.com.	IN NS	ns.example.com.
    133 SECTION ADDITIONAL
    134 ns.example.com.		IN 	A	1.2.3.4
    135 ENTRY_END
    136 
    137 ENTRY_BEGIN
    138 MATCH opcode qtype qname
    139 ADJUST copy_id
    140 REPLY QR AA NOERROR
    141 SECTION QUESTION
    142 ns.example.com. IN A
    143 SECTION ANSWER
    144 ns.example.com.		IN 	A	1.2.3.4
    145 SECTION AUTHORITY
    146 example.com.	IN NS	ns.example.com.
    147 ENTRY_END
    148 
    149 ;; answer to the spoofed query ; spoofed reply answer.
    150 ; here we put it in the nameserver for ease.
    151 ENTRY_BEGIN
    152 MATCH opcode qtype qname
    153 ADJUST copy_id
    154 REPLY QR NOERROR
    155 SECTION QUESTION
    156 bad123.example.com. IN A
    157 SECTION ANSWER
    158 bad123.example.com. IN A	6.6.6.6
    159 SECTION AUTHORITY
    160 ; evil NS set.
    161 example.com.	IN NS	bad123.example.com.
    162 ENTRY_END
    163 
    164 RANGE_END
    165 
    166 ; evil server
    167 RANGE_BEGIN 0 100
    168 	ADDRESS 6.6.6.6
    169 ENTRY_BEGIN
    170 MATCH opcode qtype qname
    171 ADJUST copy_id
    172 REPLY QR NOERROR
    173 SECTION QUESTION
    174 www.example.com. IN A
    175 SECTION ANSWER
    176 www.example.com. IN A	6.6.6.6
    177 SECTION AUTHORITY
    178 example.com.	IN NS	bad123.example.com.
    179 SECTION ADDITIONAL
    180 bad123.example.com. IN A	6.6.6.6
    181 ENTRY_END
    182 
    183 ENTRY_BEGIN
    184 MATCH opcode qtype qname
    185 ADJUST copy_id
    186 REPLY QR NOERROR
    187 SECTION QUESTION
    188 mail.example.com. IN A
    189 SECTION ANSWER
    190 mail.example.com. IN A	6.6.6.6
    191 SECTION AUTHORITY
    192 example.com.	IN NS	bad123.example.com.
    193 SECTION ADDITIONAL
    194 bad123.example.com. IN A	6.6.6.6
    195 ENTRY_END
    196 
    197 ENTRY_BEGIN
    198 MATCH opcode qtype qname
    199 ADJUST copy_id
    200 REPLY QR NOERROR
    201 SECTION QUESTION
    202 bad123.example.com. IN A
    203 SECTION ANSWER
    204 bad123.example.com. IN A	6.6.6.6
    205 SECTION AUTHORITY
    206 ; evil NS set.
    207 example.com.	IN NS	bad123.example.com.
    208 ENTRY_END
    209 RANGE_END
    210 
    211 STEP 1 QUERY
    212 ENTRY_BEGIN
    213 REPLY RD
    214 SECTION QUESTION
    215 www.example.com. IN A
    216 ENTRY_END
    217 
    218 ; recursion happens here.
    219 STEP 10 CHECK_ANSWER
    220 ENTRY_BEGIN
    221 MATCH all
    222 REPLY QR RD RA NOERROR
    223 SECTION QUESTION
    224 www.example.com. IN A
    225 SECTION ANSWER
    226 www.example.com. IN A	10.20.30.40
    227 SECTION AUTHORITY
    228 example.com.	IN NS	ns.example.com.
    229 SECTION ADDITIONAL
    230 ns.example.com.		IN 	A	1.2.3.4
    231 ENTRY_END
    232 
    233 ; spoofed query
    234 STEP 20 QUERY
    235 ENTRY_BEGIN
    236 REPLY RD
    237 SECTION QUESTION
    238 bad123.example.com. IN A
    239 ENTRY_END
    240 
    241 ; recursion happens here.
    242 STEP 30 CHECK_ANSWER
    243 ENTRY_BEGIN
    244 ; no matching here, just accept the answer to the spoofed query.
    245 ; it is wrong, but only one query ...
    246 ; this test is to check further on, that we still have the right nameserver.
    247 ;MATCH all
    248 REPLY QR RD RA NOERROR
    249 SECTION QUESTION
    250 bad123.example.com. IN A
    251 SECTION ANSWER
    252 bad123.example.com. IN A	6.6.6.6
    253 SECTION AUTHORITY
    254 example.com.	IN NS	ns.example.com.
    255 SECTION ADDITIONAL
    256 ns.example.com.		IN 	A	1.2.3.4
    257 ENTRY_END
    258 
    259 ; a new query 
    260 STEP 40 QUERY
    261 ENTRY_BEGIN
    262 REPLY RD
    263 SECTION QUESTION
    264 mail.example.com. IN A
    265 ENTRY_END
    266 
    267 STEP 50 CHECK_ANSWER
    268 ENTRY_BEGIN
    269 MATCH all
    270 REPLY QR RD RA NOERROR
    271 SECTION QUESTION
    272 mail.example.com. IN A
    273 SECTION ANSWER
    274 mail.example.com. IN A 	10.20.30.50
    275 SECTION AUTHORITY
    276 example.com.	IN NS	ns.example.com.
    277 SECTION ADDITIONAL
    278 ns.example.com.		IN 	A	1.2.3.4
    279 ENTRY_END
    280 
    281 SCENARIO_END
    282