From cf7b0de1eb98df64573002ada3d604a1beac2662 Mon Sep 17 00:00:00 2001 From: Diego Fronza Date: Thu, 13 Feb 2020 20:17:13 -0300 Subject: [PATCH] Fixed rebinding protection bug when using forwarder setups BIND wasn't honoring option "deny-answer-aliases" when configured to forward queries. Before the fix it was possible for nameservers listed in "forwarders" option to return CNAME answers pointing to unrelated domains of the original query, which could be used as a vector for rebinding attacks. The fix ensures that BIND apply filters even if configured as a forwarder instance. (cherry picked from commit af6a4de3d5ad6c1967173facf366e6c86b3ffc28) --- lib/dns/resolver.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 51bc368bf6..645a3e12cb 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -7115,8 +7115,13 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, /* * If the target name is a subdomain of the search domain, allow it. + * + * Note that if BIND is configured as a forwarding DNS server, the + * search domain will always match the root domain ("."), so we + * must also check whether forwarding is enabled so that filters + * can be applied; see GL #1574. */ - if (dns_name_issubdomain(tname, &fctx->domain)) { + if (!fctx->forwarding && dns_name_issubdomain(tname, &fctx->domain)) { return (true); }