plugin/transfer: only allow outgoing axfr over tcp (#4452)

* plugin/transfer: only allow outgoing axfr over tcp Return refused when the query comes in over udp. No need to add a new test case as the current crop needed to be changed to use TCP. Fixes: #4450 Signed-off-by: Miek Gieben <miek@miek.nl> * transfer tests: this needs tcp as well Signed-off-by: Miek Gieben <miek@miek.nl>
author: Miek Gieben <miek@miek.nl> 2021-02-05 10:51:29 +0100
committer: GitHub <noreply@github.com> 2021-02-05 10:51:29 +0100
commit: 56bc7f399a8bee256205f54f2402246818849141 (patch)
tree: b50a0a502b572a05cab0297d41bef9d8aa832ce0 /plugin
parent: 03812bb1e7ec6af384976bc4a9fb22f054dece89 (diff)
download: coredns-56bc7f399a8bee256205f54f2402246818849141.tar.gz
coredns-56bc7f399a8bee256205f54f2402246818849141.tar.zst
coredns-56bc7f399a8bee256205f54f2402246818849141.zip
4 files changed, 13 insertions, 9 deletions
diff --git a/plugin/transfer/failed_write_test.go b/plugin/transfer/failed_write_test.go
index 90b5c4de2..c1e2dc45b 100644
--- a/plugin/transfer/failed_write_test.go
+++ b/plugin/transfer/failed_write_test.go
@@ -20,7 +20,7 @@ func (w *badwriter) WriteMsg(res *dns.Msg) error { return fmt.Errorf("failed to
 func TestWriteMessageFailed(t *testing.T) {
 	transfer := newTestTransfer()
 	ctx := context.TODO()
-	w := &badwriter{ResponseWriter: &test.ResponseWriter{}}
+	w := &badwriter{ResponseWriter: &test.ResponseWriter{TCP: true}}
 	m := &dns.Msg{}
 	m.SetAxfr("example.org.")
 
diff --git a/plugin/transfer/select_test.go b/plugin/transfer/select_test.go
index 6cb0d7681..a064b00ca 100644
--- a/plugin/transfer/select_test.go
+++ b/plugin/transfer/select_test.go
@@ -47,7 +47,7 @@ func TestZoneSelection(t *testing.T) {
 	}
 	r := new(dns.Msg)
 	r.SetAxfr("sub.example.org.")
-	w := dnstest.NewRecorder(&test.ResponseWriter{})
+	w := dnstest.NewRecorder(&test.ResponseWriter{TCP: true})
 	_, err := tr.ServeDNS(context.TODO(), w, r)
 	if err == nil {
 		t.Fatal("Expected error, got nil")
diff --git a/plugin/transfer/transfer.go b/plugin/transfer/transfer.go
index 45251cda0..a9ad211df 100644
--- a/plugin/transfer/transfer.go
+++ b/plugin/transfer/transfer.go
@@ -58,6 +58,10 @@ func (t *Transfer) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Ms
 		return plugin.NextOrFailure(t.Name(), t.Next, ctx, w, r)
 	}
 
+	if state.Proto() != "tcp" {
+		return dns.RcodeRefused, nil
+	}
+
 	x := longestMatch(t.xfrs, state.QName())
 	if x == nil {
 		return plugin.NextOrFailure(t.Name(), t.Next, ctx, w, r)
diff --git a/plugin/transfer/transfer_test.go b/plugin/transfer/transfer_test.go
index c4b3891db..79233d10c 100644
--- a/plugin/transfer/transfer_test.go
+++ b/plugin/transfer/transfer_test.go
@@ -91,7 +91,7 @@ func TestTransferNonZone(t *testing.T) {
 	ctx := context.TODO()
 
 	for _, tc := range []string{"sub.example.org.", "example.test."} {
-		w := dnstest.NewRecorder(&test.ResponseWriter{})
+		w := dnstest.NewRecorder(&test.ResponseWriter{TCP: true})
 		m := &dns.Msg{}
 		m.SetAxfr(tc)
 
@@ -114,7 +114,7 @@ func TestTransferNotAXFRorIXFR(t *testing.T) {
 	transfer := newTestTransfer()
 
 	ctx := context.TODO()
-	w := dnstest.NewRecorder(&test.ResponseWriter{})
+	w := dnstest.NewRecorder(&test.ResponseWriter{TCP: true})
 	m := &dns.Msg{}
 	m.SetQuestion("test.domain.", dns.TypeA)
 
@@ -136,7 +136,7 @@ func TestTransferAXFRExampleOrg(t *testing.T) {
 	transfer := newTestTransfer()
 
 	ctx := context.TODO()
-	w := dnstest.NewMultiRecorder(&test.ResponseWriter{})
+	w := dnstest.NewMultiRecorder(&test.ResponseWriter{TCP: true})
 	m := &dns.Msg{}
 	m.SetAxfr(transfer.xfrs[0].Zones[0])
 
@@ -152,7 +152,7 @@ func TestTransferAXFRExampleCom(t *testing.T) {
 	transfer := newTestTransfer()
 
 	ctx := context.TODO()
-	w := dnstest.NewMultiRecorder(&test.ResponseWriter{})
+	w := dnstest.NewMultiRecorder(&test.ResponseWriter{TCP: true})
 	m := &dns.Msg{}
 	m.SetAxfr(transfer.xfrs[1].Zones[0])
 
@@ -170,7 +170,7 @@ func TestTransferIXFRCurrent(t *testing.T) {
 	testPlugin := transfer.Transferers[0].(*transfererPlugin)
 
 	ctx := context.TODO()
-	w := dnstest.NewMultiRecorder(&test.ResponseWriter{})
+	w := dnstest.NewMultiRecorder(&test.ResponseWriter{TCP: true})
 	m := &dns.Msg{}
 	m.SetIxfr(transfer.xfrs[0].Zones[0], testPlugin.Serial, "ns.dns."+testPlugin.Zone, "hostmaster.dns."+testPlugin.Zone)
 
@@ -200,7 +200,7 @@ func TestTransferIXFRFallback(t *testing.T) {
 	testPlugin := transfer.Transferers[0].(*transfererPlugin)
 
 	ctx := context.TODO()
-	w := dnstest.NewMultiRecorder(&test.ResponseWriter{})
+	w := dnstest.NewMultiRecorder(&test.ResponseWriter{TCP: true})
 	m := &dns.Msg{}
 	m.SetIxfr(
 		transfer.xfrs[0].Zones[0],
@@ -262,7 +262,7 @@ func TestTransferNotAllowed(t *testing.T) {
 	}
 
 	ctx := context.TODO()
-	w := dnstest.NewRecorder(&test.ResponseWriter{})
+	w := dnstest.NewRecorder(&test.ResponseWriter{TCP: true})
 	m := &dns.Msg{}
 	m.SetAxfr(transfer.xfrs[0].Zones[0])
author	Miek Gieben <miek@miek.nl>	2021-02-05 10:51:29 +0100
committer	GitHub <noreply@github.com>	2021-02-05 10:51:29 +0100
commit	56bc7f399a8bee256205f54f2402246818849141 (patch)
tree	b50a0a502b572a05cab0297d41bef9d8aa832ce0 /plugin
parent	03812bb1e7ec6af384976bc4a9fb22f054dece89 (diff)
download	coredns-56bc7f399a8bee256205f54f2402246818849141.tar.gz coredns-56bc7f399a8bee256205f54f2402246818849141.tar.zst coredns-56bc7f399a8bee256205f54f2402246818849141.zip