upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-02 05:20:33 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed rebinding protection bug when using forwarder setups

Browse source 
BIND wasn't honoring option "deny-answer-aliases" when configured to
forward queries.

Before the fix it was possible for nameservers listed in "forwarders"
option to return CNAME answers pointing to unrelated domains of the
original query, which could be used as a vector for rebinding attacks.

The fix ensures that BIND apply filters even if configured as a forwarder
instance.

(cherry picked from commit af6a4de3d5ad6c1967173facf366e6c86b3ffc28)
This commit is contained in:
Diego Fronza 2020-02-13 20:17:13 -03:00 committed by Ondřej Surý
parent e12ea4f4db
commit bba353d512
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
lib/dns/resolver.c
View file

@ -7115,8 +7115,13 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
/*
* If the target name is a subdomain of the search domain, allow it.
*
* Note that if BIND is configured as a forwarding DNS server, the
* search domain will always match the root domain ("."), so we
* must also check whether forwarding is enabled so that filters
* can be applied; see GL #1574.
*/
if (dns_name_issubdomain(tname, &fctx->domain)) {
if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) {
return (true);
}