system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-22 10:48:02 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
freebsd-src/contrib/unbound/testdata/rpz_nsip_override.rpl
Cy Schubert 335c7cda12 unbound: Vendor import 1.20.0 
Release notes at
	https://www.nlnetlabs.nl/news/2024/May/08/unbound-1.20.0-released/

Security:	The DNSBomb vulnerability CVE-2024-33655

Merge commit 'c2a80056864d6eda0398fd127dc0ae515b39752b' into main
2024-05-10 14:23:43 -07:00

333 lines
6.2 KiB
Plaintext
Raw Blame History

; config options
server:
module-config: "respip validator iterator"
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: no
access-control: 192.0.0.0/8 allow
rpz:
name: "rpz.example.com."
rpz-log: yes
rpz-log-name: "rpz.example.com"
rpz-action-override: "nxdomain"
zonefile:
TEMPFILE_NAME rpz.example.com
TEMPFILE_CONTENTS rpz.example.com
$ORIGIN example.com.
rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
1379078166 28800 7200 604800 7200 )
3600 IN NS ns1.rpz.example.com.
3600 IN NS ns2.rpz.example.com.
$ORIGIN rpz.example.com.
; ns1.gotham.a
32.41.30.20.10.rpz-nsip A 1.2.3.5
TEMPFILE_END
rpz:
name: "rpz2.example.com."
rpz-log: yes
rpz-log-name: "rpz2.example.com"
rpz-action-override: "nodata"
zonefile:
TEMPFILE_NAME rpz2.example.com
TEMPFILE_CONTENTS rpz2.example.com
$ORIGIN example.com.
rpz2 3600 IN SOA ns1.rpz2.example.com. hostmaster.rpz2.example.com. (
1379078166 28800 7200 604800 7200 )
3600 IN NS ns1.rpz2.example.com.
3600 IN NS ns2.rpz2.example.com.
$ORIGIN rpz2.example.com.
; ns1.gotham2.a
32.42.30.20.10.rpz-nsip A 1.2.3.5
TEMPFILE_END
rpz:
name: "rpz3.example.com."
rpz-log: yes
rpz-log-name: "rpz3.example.com"
rpz-action-override: "passthru"
zonefile:
TEMPFILE_NAME rpz3.example.com
TEMPFILE_CONTENTS rpz3.example.com
$ORIGIN example.com.
rpz3 3600 IN SOA ns1.rpz3.example.com. hostmaster.rpz3.example.com. (
1379078166 28800 7200 604800 7200 )
3600 IN NS ns1.rpz3.example.com.
3600 IN NS ns2.rpz3.example.com.
$ORIGIN rpz3.example.com.
; ns1.gotham3.a
32.43.30.20.10.rpz-nsip A 1.2.3.5
TEMPFILE_END
rpz:
name: "rpz4.example.com."
rpz-log: yes
rpz-log-name: "rpz4.example.com"
rpz-action-override: "drop"
zonefile:
TEMPFILE_NAME rpz4.example.com
TEMPFILE_CONTENTS rpz4.example.com
$ORIGIN example.com.
rpz4 3600 IN SOA ns1.rpz4.example.com. hostmaster.rpz4.example.com. (
1379078166 28800 7200 604800 7200 )
3600 IN NS ns1.rpz4.example.com.
3600 IN NS ns2.rpz4.example.com.
$ORIGIN rpz4.example.com.
; ns1.gotham3.a
32.43.30.20.10.rpz-nsip A 1.2.3.5
; ns1.gotham4.a
32.44.30.20.10.rpz-nsip A 1.2.3.5
TEMPFILE_END
rpz:
name: "rpz5.example.com."
rpz-log: yes
rpz-log-name: "rpz5.example.com"
rpz-action-override: "cname"
rpz-cname-override: "target.a"
zonefile:
TEMPFILE_NAME rpz5.example.com
TEMPFILE_CONTENTS rpz5.example.com
$ORIGIN example.com.
rpz5 3600 IN SOA ns1.rpz5.example.com. hostmaster.rpz5.example.com. (
1379078166 28800 7200 604800 7200 )
3600 IN NS ns1.rpz5.example.com.
3600 IN NS ns2.rpz5.example.com.
$ORIGIN rpz5.example.com.
; ns1.gotham5.a
32.45.30.20.10.rpz-nsip A 1.2.3.5
TEMPFILE_END
rpz:
name: "rpz6.example.com."
rpz-log: yes
rpz-log-name: "rpz6.example.com"
rpz-action-override: "disabled"
zonefile:
TEMPFILE_NAME rpz6.example.com
TEMPFILE_CONTENTS rpz6.example.com
$ORIGIN example.com.
rpz6 3600 IN SOA ns1.rpz6.example.com. hostmaster.rpz6.example.com. (
1379078166 28800 7200 604800 7200 )
3600 IN NS ns1.rpz6.example.com.
3600 IN NS ns2.rpz6.example.com.
$ORIGIN rpz6.example.com.
; ns1.gotham6.a
32.46.30.20.10.rpz-nsip A 1.2.3.5
TEMPFILE_END
stub-zone:
name: "a."
stub-addr: 10.20.30.40
CONFIG_END
SCENARIO_BEGIN Test RPZ action override with trigger from nsip.
; a.
RANGE_BEGIN 0 1000
ADDRESS 10.20.30.40
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham.a. IN A
SECTION AUTHORITY
gotham.a. NS ns1.gotham.a.
SECTION ADDITIONAL
ns1.gotham.a. A 10.20.30.41
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham2.a. IN A
SECTION AUTHORITY
gotham2.a. NS ns1.gotham2.a.
SECTION ADDITIONAL
ns1.gotham2.a. A 10.20.30.42
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham3.a. IN A
SECTION AUTHORITY
gotham3.a. NS ns1.gotham3.a.
SECTION ADDITIONAL
ns1.gotham3.a. A 10.20.30.43
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham4.a. IN A
SECTION AUTHORITY
gotham4.a. NS ns1.gotham4.a.
SECTION ADDITIONAL
ns1.gotham4.a. A 10.20.30.44
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham5.a. IN A
SECTION AUTHORITY
gotham5.a. NS ns1.gotham5.a.
SECTION ADDITIONAL
ns1.gotham5.a. A 10.20.30.45
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham6.a. IN A
SECTION AUTHORITY
gotham6.a. NS ns1.gotham6.a.
SECTION ADDITIONAL
ns1.gotham6.a. A 10.20.30.46
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
target.a. IN A
SECTION ANSWER
target.a. IN A 1.2.3.6
ENTRY_END
RANGE_END
; gotham3.a.
RANGE_BEGIN 0 1000
ADDRESS 10.20.30.43
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham3.a. IN A
SECTION ANSWER
www.gotham3.a. A 1.2.3.4
ENTRY_END
RANGE_END
; gotham6.a.
RANGE_BEGIN 0 1000
ADDRESS 10.20.30.46
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.gotham6.a. IN A
SECTION ANSWER
www.gotham6.a. A 1.2.3.4
ENTRY_END
RANGE_END
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham.a. IN A
ENTRY_END
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AA NXDOMAIN
SECTION QUESTION
www.gotham.a. IN A
SECTION ANSWER
ENTRY_END
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham2.a. IN A
ENTRY_END
STEP 21 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AA NOERROR
SECTION QUESTION
www.gotham2.a. IN A
SECTION ANSWER
ENTRY_END
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham3.a. IN A
ENTRY_END
STEP 31 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.gotham3.a. IN A
SECTION ANSWER
www.gotham3.a. A 1.2.3.4
ENTRY_END
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham4.a. IN A
ENTRY_END
;dropped
STEP 50 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham5.a. IN A
ENTRY_END
STEP 51 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.gotham5.a. IN A
SECTION ANSWER
www.gotham5.a. CNAME target.a
target.a A 1.2.3.6
ENTRY_END
STEP 60 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.gotham6.a. IN A
ENTRY_END
STEP 61 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.gotham6.a. IN A
SECTION ANSWER
www.gotham6.a. A 1.2.3.4
ENTRY_END
SCENARIO_END
Reference in a new issue View git blame Copy permalink