DNS/実装/unbound/harden-referral-path/動作確認/on

DNS/実装/unbound/harden-referral-path/動作確認/onについて、ここに記述してください。

$ unbound-control set_option harden-referral-path yes
ok
tmaeno@u16:~$ unbound-control flush_zone brau.jp
ok removed 3 rrsets, 1 messages and 0 key entries
tmaeno@u16:~$ dig poison.brau.jp @127.0.0.3

; <<>> DiG 9.12.3 <<>> poison.brau.jp @127.0.0.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22244
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;poison.brau.jp.                        IN      A

;; AUTHORITY SECTION:
brau.jp.                2560    IN      SOA     a.ns.brau.jp. hostmaster.brau.jp. 1543968754 16384 2048 1048576 2560

;; Query time: 167 msec
;; SERVER: 127.0.0.3#53(127.0.0.3)
;; WHEN: 水 12月 05 13:56:31 JST 2018
;; MSG SIZE  rcvd: 95

tmaeno@u16:~$

[1543985773] unbound[7346:0] info: control cmd:  set_option harden-referral-path yes
[1543985785] unbound[7346:0] info: control cmd:  flush_zone brau.jp

[1543985790] unbound[7346:0] info: resolving poison.brau.jp. A IN
[1543985791] unbound[7346:0] info: response for poison.brau.jp. A IN
[1543985791] unbound[7346:0] info: reply from <jp.> 65.22.40.25#53
[1543985791] unbound[7346:0] info: query response was REFERRAL
[1543985791] unbound[7346:0] info: resolving brau.jp. NS IN
[1543985791] unbound[7346:0] info: response for brau.jp. NS IN
[1543985791] unbound[7346:0] info: reply from <jp.> 202.12.30.131#53
[1543985791] unbound[7346:0] info: query response was REFERRAL

[1543985791] unbound[7346:0] info: resolving a.ns.brau.jp. A IN
[1543985791] unbound[7346:0] info: response for poison.brau.jp. A IN
[1543985791] unbound[7346:0] info: reply from <brau.jp.> 14.192.44.29#53
[1543985791] unbound[7346:0] info: query response was NXDOMAIN ANSWER

[1543985791] unbound[7346:0] info: response for a.ns.brau.jp. A IN
[1543985791] unbound[7346:0] info: reply from <brau.jp.> 14.192.44.29#53
[1543985791] unbound[7346:0] info: query response was NXDOMAIN ANSWER
[1543985791] unbound[7346:0] info: resolving ns.brau.jp. A IN
[1543985791] unbound[7346:0] info: response for brau.jp. NS IN
[1543985791] unbound[7346:0] info: reply from <brau.jp.> 14.192.44.29#53
[1543985791] unbound[7346:0] info: query response was ANSWER
[1543985791] unbound[7346:0] info: response for a.ns.brau.jp. A IN
[1543985791] unbound[7346:0] info: reply from <brau.jp.> 14.192.44.29#53
[1543985791] unbound[7346:0] info: query response was ANSWER

最後のreplyで毒NSを取り込んでいるから、これは当然の結果

$ dig poison2.brau.jp @127.0.0.3

; <<>> DiG 9.12.3 <<>> poison2.brau.jp @127.0.0.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37510
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;poison2.brau.jp.               IN      A

;; ANSWER SECTION:
poison2.brau.jp.        86400   IN      A       10.10.1.1

;; Query time: 10 msec
;; SERVER: 127.0.0.3#53(127.0.0.3)
;; WHEN: 水 12月 05 13:59:48 JST 2018
;; MSG SIZE  rcvd: 60

[1543985988] unbound[7346:0] info: resolving poison2.brau.jp. A IN
[1543985988] unbound[7346:0] info: response for poison2.brau.jp. A IN
[1543985988] unbound[7346:0] info: reply from <brau.jp.> 14.192.44.5#53
[1543985988] unbound[7346:0] info: query response was ANSWER