Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-27 16:24:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

plugin/transfer: only allow outgoing axfr over tcp (#4452)

Browse Source 
* plugin/transfer: only allow outgoing axfr over tcp

Return refused when the query comes in over udp.
No need to add a new test case as the current crop needed to be changed
to use TCP.

Fixes: #4450

Signed-off-by: Miek Gieben <miek@miek.nl>

* transfer tests: this needs tcp as well

Signed-off-by: Miek Gieben <miek@miek.nl>
This commit is contained in:
Miek Gieben
2021-02-05 10:51:29 +01:00
committed by GitHub
parent 03812bb1e7
commit 56bc7f399a
5 changed files with 17 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugin/transfer/failed_write_test.go
View File

@@ -20,7 +20,7 @@ func (w *badwriter) WriteMsg(res *dns.Msg) error { return fmt.Errorf("failed to
func TestWriteMessageFailed(t *testing.T) { func TestWriteMessageFailed(t *testing.T) {
transfer := newTestTransfer() transfer := newTestTransfer()
ctx := context.TODO() ctx := context.TODO()
w := &badwriter{ResponseWriter: &test.ResponseWriter{}} w := &badwriter{ResponseWriter: &test.ResponseWriter{TCP: true}}
m := &dns.Msg{} m := &dns.Msg{}
m.SetAxfr("example.org.") m.SetAxfr("example.org.")

2
plugin/transfer/select_test.go
View File

@@ -47,7 +47,7 @@ func TestZoneSelection(t *testing.T) {
} }
r := new(dns.Msg) r := new(dns.Msg)
r.SetAxfr("sub.example.org.") r.SetAxfr("sub.example.org.")
w := dnstest.NewRecorder(&test.ResponseWriter{}) w := dnstest.NewRecorder(&test.ResponseWriter{TCP: true})
_, err := tr.ServeDNS(context.TODO(), w, r) _, err := tr.ServeDNS(context.TODO(), w, r)
if err == nil { if err == nil {
t.Fatal("Expected error, got nil") t.Fatal("Expected error, got nil")

4
plugin/transfer/transfer.go
View File

@@ -58,6 +58,10 @@ func (t *Transfer) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Ms
return plugin.NextOrFailure(t.Name(), t.Next, ctx, w, r) return plugin.NextOrFailure(t.Name(), t.Next, ctx, w, r)
} }
if state.Proto() != "tcp" {
return dns.RcodeRefused, nil
}
x := longestMatch(t.xfrs, state.QName()) x := longestMatch(t.xfrs, state.QName())
if x == nil { if x == nil {
return plugin.NextOrFailure(t.Name(), t.Next, ctx, w, r) return plugin.NextOrFailure(t.Name(), t.Next, ctx, w, r)

14
plugin/transfer/transfer_test.go
View File

@@ -91,7 +91,7 @@ func TestTransferNonZone(t *testing.T) {
ctx := context.TODO() ctx := context.TODO()
for _, tc := range []string{"sub.example.org.", "example.test."} { for _, tc := range []string{"sub.example.org.", "example.test."} {
w := dnstest.NewRecorder(&test.ResponseWriter{}) w := dnstest.NewRecorder(&test.ResponseWriter{TCP: true})
m := &dns.Msg{} m := &dns.Msg{}
m.SetAxfr(tc) m.SetAxfr(tc)
@@ -114,7 +114,7 @@ func TestTransferNotAXFRorIXFR(t *testing.T) {
transfer := newTestTransfer() transfer := newTestTransfer()
ctx := context.TODO() ctx := context.TODO()
w := dnstest.NewRecorder(&test.ResponseWriter{}) w := dnstest.NewRecorder(&test.ResponseWriter{TCP: true})
m := &dns.Msg{} m := &dns.Msg{}
m.SetQuestion("test.domain.", dns.TypeA) m.SetQuestion("test.domain.", dns.TypeA)
@@ -136,7 +136,7 @@ func TestTransferAXFRExampleOrg(t *testing.T) {
transfer := newTestTransfer() transfer := newTestTransfer()
ctx := context.TODO() ctx := context.TODO()
w := dnstest.NewMultiRecorder(&test.ResponseWriter{}) w := dnstest.NewMultiRecorder(&test.ResponseWriter{TCP: true})
m := &dns.Msg{} m := &dns.Msg{}
m.SetAxfr(transfer.xfrs[0].Zones[0]) m.SetAxfr(transfer.xfrs[0].Zones[0])
@@ -152,7 +152,7 @@ func TestTransferAXFRExampleCom(t *testing.T) {
transfer := newTestTransfer() transfer := newTestTransfer()
ctx := context.TODO() ctx := context.TODO()
w := dnstest.NewMultiRecorder(&test.ResponseWriter{}) w := dnstest.NewMultiRecorder(&test.ResponseWriter{TCP: true})
m := &dns.Msg{} m := &dns.Msg{}
m.SetAxfr(transfer.xfrs[1].Zones[0]) m.SetAxfr(transfer.xfrs[1].Zones[0])
@@ -170,7 +170,7 @@ func TestTransferIXFRCurrent(t *testing.T) {
testPlugin := transfer.Transferers[0].(*transfererPlugin) testPlugin := transfer.Transferers[0].(*transfererPlugin)
ctx := context.TODO() ctx := context.TODO()
w := dnstest.NewMultiRecorder(&test.ResponseWriter{}) w := dnstest.NewMultiRecorder(&test.ResponseWriter{TCP: true})
m := &dns.Msg{} m := &dns.Msg{}
m.SetIxfr(transfer.xfrs[0].Zones[0], testPlugin.Serial, "ns.dns."+testPlugin.Zone, "hostmaster.dns."+testPlugin.Zone) m.SetIxfr(transfer.xfrs[0].Zones[0], testPlugin.Serial, "ns.dns."+testPlugin.Zone, "hostmaster.dns."+testPlugin.Zone)
@@ -200,7 +200,7 @@ func TestTransferIXFRFallback(t *testing.T) {
testPlugin := transfer.Transferers[0].(*transfererPlugin) testPlugin := transfer.Transferers[0].(*transfererPlugin)
ctx := context.TODO() ctx := context.TODO()
w := dnstest.NewMultiRecorder(&test.ResponseWriter{}) w := dnstest.NewMultiRecorder(&test.ResponseWriter{TCP: true})
m := &dns.Msg{} m := &dns.Msg{}
m.SetIxfr( m.SetIxfr(
transfer.xfrs[0].Zones[0], transfer.xfrs[0].Zones[0],
@@ -262,7 +262,7 @@ func TestTransferNotAllowed(t *testing.T) {
} }
ctx := context.TODO() ctx := context.TODO()
w := dnstest.NewRecorder(&test.ResponseWriter{}) w := dnstest.NewRecorder(&test.ResponseWriter{TCP: true})
m := &dns.Msg{} m := &dns.Msg{}
m.SetAxfr(transfer.xfrs[0].Zones[0]) m.SetAxfr(transfer.xfrs[0].Zones[0])

6
test/secondary_test.go
View File

@@ -100,7 +100,7 @@ func TestIxfrResponse(t *testing.T) {
} }
}` }`
i, udp, _, err := CoreDNSServerAndPorts(corefile) i, _, tcp, err := CoreDNSServerAndPorts(corefile)
if err != nil { if err != nil {
t.Fatalf("Could not get CoreDNS serving instance: %s", err) t.Fatalf("Could not get CoreDNS serving instance: %s", err)
} }
@@ -111,9 +111,11 @@ func TestIxfrResponse(t *testing.T) {
m.Ns = []dns.RR{test.SOA("example.org. IN SOA sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600")} // copied from exampleOrg m.Ns = []dns.RR{test.SOA("example.org. IN SOA sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600")} // copied from exampleOrg
var r *dns.Msg var r *dns.Msg
c := new(dns.Client)
c.Net = "tcp"
// This is now async; we need to wait for it to be transferred. // This is now async; we need to wait for it to be transferred.
for i := 0; i < 10; i++ { for i := 0; i < 10; i++ {
r, _ = dns.Exchange(m, udp) r, _, _ = c.Exchange(m, tcp)
if len(r.Answer) != 0 { if len(r.Answer) != 0 {
break break
} }