From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 27 Jul 2016 21:03:20 +0000 (+0200)
Subject: RPZ: Tests for wantsRPZ override, NSDNAME and NSIP
X-Git-Tag: rec-4.0.2~1^2~18
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3ad914028a93a0282fbfd9dbfd1e8703162bea1a;p=pdns

RPZ: Tests for wantsRPZ override, NSDNAME and NSIP
---

diff --git a/regression-tests.recursor/RPZ-Lua/command b/regression-tests.recursor/RPZ-Lua/command
index 006830e1e..7e77975e6 100755
--- a/regression-tests.recursor/RPZ-Lua/command
+++ b/regression-tests.recursor/RPZ-Lua/command
@@ -1 +1,2 @@
 $SDIG $nameserver 5301 www3.example.net a recurse 2>&1
+$SDIG $nameserver 5301 android.marvin.example.net a recurse 2>&1
diff --git a/regression-tests.recursor/RPZ-Lua/expected_result b/regression-tests.recursor/RPZ-Lua/expected_result
index b3c2cf61e..f43f16db5 100644
--- a/regression-tests.recursor/RPZ-Lua/expected_result
+++ b/regression-tests.recursor/RPZ-Lua/expected_result
@@ -1,3 +1,6 @@
 Reply to question for qname='www3.example.net.', qtype=A
 Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
 0	www3.example.net.	IN	CNAME	0	www2.example.net.
+Reply to question for qname='android.marvin.example.net.', qtype=A
+Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+0	android.marvin.example.net.	IN	A	15	192.0.2.5
diff --git a/regression-tests.recursor/RPZ/command b/regression-tests.recursor/RPZ/command
index 482bae86f..783f62e3f 100755
--- a/regression-tests.recursor/RPZ/command
+++ b/regression-tests.recursor/RPZ/command
@@ -12,3 +12,7 @@ echo "==> trillian.example.net NXDOMAIN"
 $SDIG $nameserver 5301 trillian.example.net a recurse 2>&1
 echo "==> www.trillian.example.net has no RPZ policy attached, so lookup should succeed"
 $SDIG $nameserver 5301 www.trillian.example.net a recurse 2>&1
+echo "==> www.hijackme.example.net is served on ns.hijackme.example.net, which should be NXDOMAIN"
+$SDIG $nameserver 5301 www.hijackme.example.net a recurse 2>&1
+echo "==> host.lowercase-outgoing.example.net is served on ns.lowercase-outgoing.example.net, blocked by NS IP rule"
+$SDIG $nameserver 5301 host.lowercase-outgoing.example.net a recurse 2>&1
diff --git a/regression-tests.recursor/RPZ/expected_result b/regression-tests.recursor/RPZ/expected_result
index 7af91de77..3039bf8d0 100644
--- a/regression-tests.recursor/RPZ/expected_result
+++ b/regression-tests.recursor/RPZ/expected_result
@@ -21,3 +21,9 @@ Reply to question for qname='www.trillian.example.net.', qtype=A
 Rcode: 0 (No Error), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
 0	www.trillian.example.net.	IN	CNAME	15	www2.arthur.example.net.
 0	www2.arthur.example.net.	IN	A	15	192.0.2.6
+==> www.hijackme.example.net is served on ns.hijackme.example.net, which should be NXDOMAIN
+Reply to question for qname='www.hijackme.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+==> host.lowercase-outgoing.example.net is served on ns.lowercase-outgoing.example.net, blocked by NS IP rule
+Reply to question for qname='host.lowercase-outgoing.example.net.', qtype=A
+Rcode: 3 (Non-Existent domain), RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
diff --git a/regression-tests.recursor/config.sh b/regression-tests.recursor/config.sh
index e510533bc..a8fcc249a 100755
--- a/regression-tests.recursor/config.sh
+++ b/regression-tests.recursor/config.sh
@@ -552,6 +552,8 @@ cat > recursor-service3/config.lua <<EOF
 rpzFile("$(pwd)/recursor-service3/rpz.zone", {policyName="myRPZ"})
 EOF
 
+IFS=. read REV_PREFIX1 REV_PREFIX2 REV_PREFIX3 <<< $(echo $PREFIX) # This will bite us in the ass if we ever test on IPv6
+
 cat > recursor-service3/rpz.zone <<EOF
 \$TTL 2h;
 \$ORIGIN domain.example.
@@ -566,10 +568,18 @@ www3.example.net       CNAME www4.example.net.   ; Local-Data Action (to be chan
 trillian.example.net   CNAME .                   ; NXDOMAIN on apex, allows all sub-names (#4086)
 
 32.4.2.0.192.rpz-ip    CNAME rpz-drop.           ; www4.example.net resolves to 192.0.2.4, drop A responses with that IP
+
+ns.hijackme.example.net.rpz-nsdname CNAME .      ; NXDOMAIN for anything hosted on ns.hijackme.example.net
+ns.marvin.example.net.rpz-nsdname CNAME .        ; NXDOMAIN for anything hosted on ns.marvin.example.net (we disable RPZ in preresolve though)
+32.24.$REV_PREFIX3.$REV_PREFIX2.$REV_PREFIX1.rpz-nsip CNAME . ; The IP for ns.lowercase-outgoing.example.net, should yield NXDOMAIN
+
 EOF
 
 cat > recursor-service3/script.lua <<EOF
 function preresolve(dq)
+  if dq.qname:equal("android.marvin.example.net") then
+    dq.wantsRPZ = false -- disable RPZ
+  end
   if dq.appliedPolicy.policyKind == pdns.policykinds.Custom then
     if dq.qname:equal("www3.example.net") then
       dq.appliedPolicy.policyCustom = "www2.example.net"