BIND 10 trac3383, updated. bad81eacde96d3ca3753658631aab8f11327eb88 [3383] Log when D2 is listening on non-loopback address

BIND 10 source code commits bind10-changes at lists.isc.org
Wed Apr 2 15:27:56 UTC 2014 

The branch, trac3383 has been updated
       via  bad81eacde96d3ca3753658631aab8f11327eb88 (commit)
      from  4fc6976f40629a4e161c14928b40acfe82f1ccae (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit bad81eacde96d3ca3753658631aab8f11327eb88
Author: Thomas Markwalder <tmark at isc.org>
Date:   Wed Apr 2 10:54:33 2014 -0400

    [3383] Log when D2 is listening on non-loopback address
    
    Added a check in D2Process to detect when D2 is using an
    address other than loopback on which to listen and issue
    a log warning.
    Added simple unit tests that permit visual log inspection
    barring a simple, automated way to do it.

-----------------------------------------------------------------------

Summary of changes:
 src/bin/d2/d2_messages.mes               |    8 +++++
 src/bin/d2/d2_process.cc                 |    7 +++++
 src/bin/d2/tests/d2_process_unittests.cc |   48 ++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+)

-----------------------------------------------------------------------
diff --git a/src/bin/d2/d2_messages.mes b/src/bin/d2/d2_messages.mes
index 2849ae4..5782d5d 100644
--- a/src/bin/d2/d2_messages.mes
+++ b/src/bin/d2/d2_messages.mes
@@ -254,6 +254,14 @@ This is a debug message issued when the DHCP-DDNS application encountered an
 error while decoding a response to DNS Update message. Typically, this error
 will be encountered when a response message is malformed.
 
+% DHCP_DDNS_NOT_ON_LOOPBACK The DHCP-DDNS server has been configured to listen on %1 which is not the local loopback.  This is an insecure configuration supported for testing purposes only.
+This is a warning message issued When the DHCP-DDNS server is configured to
+listen at an address other than the loopback address (127.0.0.1 or ::1). It is
+possible for a malicious attacker to send bogus NameChangeRequests to it and
+change entries in the DNS. For this reason, addresses other than the IPv4 or
+IPv6 loopback addresses should only be used for testing purposes. A future
+version of Kea will implement authentication to guard against such attacks.
+
 % DHCP_DDNS_NO_ELIGIBLE_JOBS although there are queued requests, there are pending transactions for each Queue count: %1  Transaction count: %2
 This is a debug message issued when all of the queued requests represent clients
 for which there is a an update already in progress.  This may occur under
diff --git a/src/bin/d2/d2_process.cc b/src/bin/d2/d2_process.cc
index 187bfe1..cca71e2 100644
--- a/src/bin/d2/d2_process.cc
+++ b/src/bin/d2/d2_process.cc
@@ -329,6 +329,13 @@ D2Process::reconfigureQueueMgr() {
         std::string ip_address;
         uint32_t port;
         getCfgMgr()->getContext()->getParam("ip_address", ip_address);
+
+        // Warn the user if the server address is not the loopback.
+        /// @todo Remove this once we provide a secure mechanism.
+        if (ip_address != "127.0.0.1" && ip_address != "::1") {
+            LOG_WARN(dctl_logger, DHCP_DDNS_NOT_ON_LOOPBACK).arg(ip_address);
+        }
+
         getCfgMgr()->getContext()->getParam("port", port);
         isc::asiolink::IOAddress addr(ip_address);
 
diff --git a/src/bin/d2/tests/d2_process_unittests.cc b/src/bin/d2/tests/d2_process_unittests.cc
index cbbdd3f..bd6f770 100644
--- a/src/bin/d2/tests/d2_process_unittests.cc
+++ b/src/bin/d2/tests/d2_process_unittests.cc
@@ -602,4 +602,52 @@ TEST_F(D2ProcessTest, fatalErrorShutdown) {
                 elapsed.total_milliseconds() <= 2100);
 }
 
+/// @brief Used to permit visual inspection of logs to ensure
+/// DHCP_DDNS_NOT_ON_LOOPBACK is issued when ip_address is not
+/// loopback.
+TEST_F(D2ProcessTest, notLoopbackTest) {
+    const char* config = "{ "
+                        "\"interface\" : \"\" , "
+                        "\"ip_address\" : \"0.0.0.0\" , "
+                        "\"port\" : 53001, "
+                        "\"tsig_keys\": [],"
+                        "\"forward_ddns\" : {},"
+                        "\"reverse_ddns\" : {}"
+                        "}";
+
+    // Note we don't care nor can we predict if this
+    // succeeds or fails. The address and port may or may
+    // not be valid on the test host.
+    runWithConfig(config);
+}
+
+
+/// @brief Used to permit visual inspection of logs to ensure
+/// DHCP_DDNS_NOT_ON_LOOPBACK is not issued.
+TEST_F(D2ProcessTest, v4LoopbackTest) {
+    const char* config = "{ "
+                        "\"interface\" : \"\" , "
+                        "\"ip_address\" : \"127.0.0.1\" , "
+                        "\"port\" : 53001, "
+                        "\"tsig_keys\": [],"
+                        "\"forward_ddns\" : {},"
+                        "\"reverse_ddns\" : {}"
+                        "}";
+    ASSERT_TRUE(runWithConfig(config));
+}
+
+/// @brief Used to permit visual inspection of logs to ensure
+/// DHCP_DDNS_NOT_ON_LOOPBACK is not issued.
+TEST_F(D2ProcessTest, v6LoopbackTest) {
+    const char* config = "{ "
+                        "\"interface\" : \"\" , "
+                        "\"ip_address\" : \"::1\" , "
+                        "\"port\" : 53001, "
+                        "\"tsig_keys\": [],"
+                        "\"forward_ddns\" : {},"
+                        "\"reverse_ddns\" : {}"
+                        "}";
+    ASSERT_TRUE(runWithConfig(config));
+}
+
 } // end of anonymous namespace

More information about the bind10-changes mailing list