diff options
Diffstat (limited to 'bin/tests/system/forward/tests.sh')
| -rw-r--r-- | bin/tests/system/forward/tests.sh | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh index fc3822cf..4361ab25 100644 --- a/bin/tests/system/forward/tests.sh +++ b/bin/tests/system/forward/tests.sh @@ -229,6 +229,127 @@ grep "status: SERVFAIL" dig.out.$n > /dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) +# +# Check various spoofed response scenarios. The same tests will be +# run twice, with "forward first" and "forward only" configurations. +# +run_spooftests () { + n=$((n+1)) + echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 + # check 'net' is not poisoned. + dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 + grep '^diditwork\.net\..*TXT.*"recursed"' dig.out.$n.net > /dev/null || ret=1 + # check 'sub.local.net' is not poisoned. + dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 + grep '^sub\.local\.net\..*TXT.*"recursed"' dig.out.$n.sub > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 + # check that net2/DNAME is not cached + dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 + grep "ANSWER: 0," dig.out.$n.net2 > /dev/null || ret=1 + grep "status: NXDOMAIN" dig.out.$n.net2 > /dev/null || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + + n=$((n+1)) + echo_i "checking spoofed response scenario 3 - extra answer ($n)" + ret=0 + # prime + dig_with_opts @10.53.0.9 attackSecureDomain.net3 > dig.out.$n.prime || ret=1 + # check extra net3 records are not cached + rndccmd 10.53.0.9 dumpdb -cache 2>&1 | sed 's/^/ns9 /' | cat_i + for try in 1 2 3 4 5; do + lines=$(grep "net3" ns9/named_dump.db | wc -l) + if [ ${lines} -eq 0 ]; then + sleep 1 + continue + fi + [ ${lines} -eq 1 ] || ret=1 + grep -q '^attackSecureDomain.net3' ns9/named_dump.db || ret=1 + grep -q '^local.net3' ns9/named_dump.db && ret=1 + done + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status+ret)) +} + +echo_i "checking spoofed response scenarios with forward first zones" +run_spooftests + +copy_setports ns9/named2.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +echo_i "rechecking spoofed response scenarios with forward only zones" +run_spooftests + +# +# This scenario expects the spoofed response to succeed. The tests are +# similar to the ones above, but not identical. +# +echo_i "rechecking spoofed response scenarios with 'forward only' set globally" +copy_setports ns9/named3.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking spoofed response scenario 1 - out of bailiwick NS ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net > dig.out.$n.prime || ret=1 +# check 'net' is poisoned. +dig_with_opts @10.53.0.9 diditwork.net. TXT > dig.out.$n.net || ret=1 +grep '^didItWork\.net\..*TXT.*"if you can see this record the attack worked"' dig.out.$n.net > /dev/null || ret=1 +# check 'sub.local.net' is poisoned. +dig_with_opts @10.53.0.9 sub.local.net TXT > dig.out.$n.sub || ret=1 +grep '^sub\.local\.net\..*TXT.*"if you see this attacker overrode local delegation"' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +n=$((n+1)) +echo_i "checking spoofed response scenario 2 - inject DNAME/net2. ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 attackSecureDomain.net2 > dig.out.$n.prime || ret=1 +# check that net2/DNAME is cached +dig_with_opts @10.53.0.9 net2. DNAME > dig.out.$n.net2 || ret=1 +grep "ANSWER: 1," dig.out.$n.net2 > /dev/null || ret=1 +grep "net2\..*IN.DNAME.net\.example\.lll\." dig.out.$n.net2 > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +# +# This test doesn't use any forwarder clauses but is here because it +# is similar to forwarders, as the set of servers that can populate +# the namespace is defined by the zone content. +# +echo_i "rechecking spoofed response scenarios glue below local zone" +copy_setports ns9/named4.conf.in ns9/named.conf +rndccmd 10.53.0.9 reconfig 2>&1 | sed 's/^/ns3 /' | cat_i +rndccmd 10.53.0.9 flush 2>&1 | sed 's/^/ns3 /' | cat_i +sleep 1 + +n=$((n+1)) +echo_i "checking sibling glue below zone ($n)" +ret=0 +# prime +dig_with_opts @10.53.0.9 sibling.tld > dig.out.$n.prime || ret=1 +# check for glue A record for sub.local.tld is not used +dig_with_opts @10.53.0.9 sub.local.tld TXT > dig.out.$n.sub || ret=1 +grep "ANSWER: 1," dig.out.$n.sub > /dev/null || ret=1 +grep 'sub\.local\.tld\..*IN.TXT."good"$' dig.out.$n.sub > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status+ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 |