Bind 8.4.1 patch for blocking Verisign's new wildcard DNS record

Scot W. Hetzel bind-users at westbend.net
Fri Sep 19 03:14:52 UTC 2003 

I have created a patch that applies to both bind 8.3.6 and bind 8.4.1, that
will return NXDOMAIN for more than just .net and .com domains.

This patch is based on the patches submitted by Braun, and Church.  The change
was to use an array of TLDs in which to check if the A record matches an IP
stored in the array..

To use this patch, you need to define which TLDs you want to forbid the use of
wildcard TLDs by adding the appropriate define to CFLAGS.

	CFLAGS=-DVERISIGN_TLD -DALL_TLD

 - VERISIGN_TLD adds the com and net wildcard TLDs to the list
 - ALL_TLD [1] adds the remaining wildcard TLDs to the list, except .museum
     NOTE: If you don't want all TLDs enabled, You may enable them individual
           grep _TLD ns_resp.c to see all the *_TLD's that can be defined.
 - MUSEUM_TLD adds museum TLD to the list

You can add additional wildcard TLDs to the list, by editing ns_resp.c, and
then adding the new wildcard TLD to the ip_to_kil list.

Bugs/TODO:
  Doesn't distinguish between TLDs using the same wildcard TLD IP address (.net and .com)
    - needs a check to see if query domain contains ip_to_kill[i]->TLD.
  Hardcodes the IP addresses of the wildcard TLDs
  Unable to add additional TLDs via named.conf

Scot

Index: named.h
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/named/named.h,v
retrieving revision 1.1.1.2.2.4
diff -u -r1.1.1.2.2.4 named.h
--- named.h	15 May 2002 19:51:21 -0000	1.1.1.2.2.4
+++ named.h	17 Sep 2003 05:09:05 -0000
@@ -65,3 +65,8 @@
 
 #include "ns_func.h"
 #include "db_func.h"
+
+struct ip_to_kill_s {
+    char *TLD;
+    char ip[4];
+};
Index: ns_resp.c
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_resp.c,v
retrieving revision 1.1.1.2.2.10
diff -u -r1.1.1.2.2.10 ns_resp.c
--- ns_resp.c	25 Aug 2003 21:07:49 -0000	1.1.1.2.2.10
+++ ns_resp.c	19 Sep 2003 01:20:32 -0000
@@ -151,6 +151,126 @@
 			danglingCname[] =	"dangling CNAME pointer",
 			nonRecursiveForwarder[]= "non-recursive forwarder";
 
+/* VERISIGN_TLD enables checking for wildcard TLDs in .com and .net zone */
+#ifdef VERISIGN_TLD
+#define NET_TLD
+#define COM_TLD
+#endif
+
+/* ALL_TLD enables checking the remaining wildcard TLDs except .museum */
+#ifdef ALL_TLD
+#define AC_TLD
+#define BIZ_TLD
+#define BZ_TLD
+#define CC_TLD
+#define CN_TLD
+#define CX_TLD
+#define IO_TLD
+#define MP_TLD
+#define NU_TLD
+#define PH_TLD
+#define PW_TLD
+#define SH_TLD
+#define TD_TLD
+#define TK_TLD
+#define TM_TLD
+#define TV_TLD
+#define TW_TLD
+#define US_TLD
+#define WS_TLD
+#endif
+
+/* These TLDs are currenlty not using wildcard TLDs */
+#undef BIZ_TLD
+#undef IO_TLD
+#undef TV_TLD
+#undef US_TLD
+
+struct ip_to_kill_s ip_to_kill[] = {
+	/*
+	 * Verisign wildcard TLDs
+	 */
+#ifdef NET_TLD
+	{"net",		{64,94,110,11}		},
+#endif
+#ifdef COM_TLD
+	{"com",		{64,94,110,11}		},
+#endif
+	/*
+	 * Museum wildcard TLD
+	 *
+	 * Used by .museum to provide an error page with
+	 * a link to an index of all .museum domains.
+	 */
+#ifdef MUSEUM_TLD
+	{"museum",	{195,7,77,20}		},
+#endif
+	/*
+	 * The rest of the wildcard TLDs
+	 */
+#ifdef AC_TLD
+	{"ac",		{194,205,62,122}	},
+#endif
+#ifdef BIZ_TLD
+	{"biz",		{0,0,0,0}		},
+#endif
+#ifdef BZ_TLD
+	{"bz",		{216,220,34,101}	},
+#endif
+#ifdef CC_TLD
+	{"cc",		{206,253,214,102}	},
+#endif
+#ifdef CN_TLD
+	{"cn",		{159,226,7,162}		},
+#endif
+#ifdef CX_TLD
+	{"cx",		{219,88,106,80}		},
+#endif
+#ifdef IO_TLD
+	{"io",		{0,0,0,0}		},
+#endif
+#ifdef MP_TLD
+	{"mp",		{202,128,12,163}	},
+#endif
+#ifdef NU_TLD
+	{"nu",		{212,181,91,6}		},
+	{"nu",		{64,55,105,9}		},
+#endif
+#ifdef PH_TLD
+	{"ph",		{203,119,4,6}		},
+#endif
+#ifdef PW_TLD /* uses a wildcard CNAME record to wfb.dnsvr.com */
+	{"pw",		{216,98,141,250}	},
+	{"pw",		{65,125,231,178}	},
+#endif
+#ifdef SH_TLD
+	{"sh",		{194,205,62,62}		},
+#endif
+#ifdef TD_TLD /* uses a wildcard CNAME record to www.nic.td */
+	{"td",		{146,101,245,154}	},
+#endif
+#ifdef TK_TLD
+	{"tk",		{195,20,32,83}		},
+	{"tk",		{195,20,32,86}		},
+#endif
+#ifdef TM_TLD
+	{"tm",		{194,205,62,42}		},
+#endif
+#ifdef TV_TLD
+	{"tv",		{0,0,0,0}		},
+#endif
+#ifdef TW_TLD
+	{"tw",		{203,73,24,11}		},
+#endif
+#ifdef US_TLD
+	{"us",		{0,0,0,0}		},
+#endif
+#ifdef WS_TLD
+	{"ws",		{216,35,187,246}	},
+#endif
+	{NULL, 		{0,0,0,0}		}
+}; 
+
 struct db_list {
 	struct db_list *db_next;
 	struct databuf *db_dp;
@@ -298,6 +418,7 @@
 	DST_KEY *key;
 	int expect_cname;
 	int pass = 0;
+	int wasCaught = 0;
 
 	nameserIncr(from.sin_addr, nssRcvdR);
 	nsp[0] = NULL;
@@ -955,6 +1076,31 @@
 		type = dp->d_type;
 		if (i < ancount) {
 			/* Answer section. */
+			/* HACK to kill stupidity of Verisign and other TLDs.
+			 *   -- achurch at achurch.org
+			 *   -- vvarm at hotmail.com 
+			 *   -- hetzelsw at westbend.net
+			 */
+			if (type == ns_t_a ) {
+				struct ip_to_kill_s *v;
+				for (v = ip_to_kill; v->TLD && (validanswer != 0); v++) {
+					if (memcmp(dp->d_data, v->ip, 4) == 0) {
+						ns_info(ns_log_resp_checks,
+					     "bad referral (%s wild card) (%s !< %s) from %s",
+							   v->TLD,
+							   name[0] ? name : ".",
+							   qp->q_domain[0] ?
+							   qp->q_domain : ".",
+							   sin_ntoa(from));
+
+						db_detach(&dp);
+						wasCaught = 1;
+						break;
+					}
+				}
+				if (wasCaught == 1)
+					break;
+			}
 			/*
 			 * Check for attempts to overflow the buffer in
 			 * getnameanswer.
@@ -1213,6 +1359,47 @@
 				 "resp: leaving NO: auth = %d", hp->aa);
 			goto return_msg;
 		}
+	}
+
+	if (wasCaught == 1) {
+		count = 0;
+		cname = 0;
+		founddata = 0;
+		dname = name;
+		newmsglen = MIN(EDNS_MESSAGE_SZ, msglen);
+		memcpy(newmsg, msg, newmsglen);
+		hp = (HEADER *) newmsg;
+		hp->qdcount = htons(1);
+		hp->ancount = htons(0);
+		hp->nscount = htons(0);
+		hp->arcount = htons(0);
+		hp->rcode = NXDOMAIN;
+		dnptrs[0] = newmsg;
+		dnptrs[1] = NULL;
+		cp = newmsg + HFIXEDSZ;
+		n = dn_expand(newmsg, newmsg + newmsglen, cp, dname, sizeof name);
+		if (n < 0) {
+			ns_debug(ns_log_default, 1, "dn_expand failed");
+			goto servfail;
+		}
+		if (!res_dnok(dname)) {
+			ns_debug(ns_log_default, 1, "bad name (%s)", dname);
+			goto servfail;
+		}
+		cp += n + QFIXEDSZ;
+		buflen = (qp->q_stream != NULL) ? NS_MAXMSG : MIN(EDNS_MESSAGE_SZ, qp->q_udpsize);
+		buflen -= (cp - newmsg);
+		/*
+		 * Reserve space for TSIG / EDNS
+		 */
+		if (qp->q_tsig != NULL)
+			buflen -=  qp->q_tsig->tsig_size;
+		if ((qp->q_flags & Q_EDNS) != 0)
+			buflen -= 11;
+		if (!NS_OPTION_P(OPTION_NONAUTH_NXDOMAIN))
+			hp->aa = 1;
+		ns_debug(ns_log_default, 3, "resp: NXDOMAIN aa = %d", hp->aa);
+		goto return_newmsg;
 	}
 
 	/*

More information about the bind-users mailing list