From 19505537fd2b689712cb6b6b90a44df5c22d063e Mon Sep 17 00:00:00 2001
From: Taylor R Campbell <campbell+heimdal@mumble.net>
Date: Fri, 9 Jun 2023 00:09:59 +0000
Subject: [PATCH] Ensure all calls to rk_dns_lookup are headed by a block_dns
 check.

Exception: In lib/kafs/common.c, we don't have a krb5_context in
which to check.
---
 kdc/altsecid_gss_preauth_authorizer.c |  7 +++++++
 lib/krb5/get_host_realm.c             |  8 ++++++++
 lib/krb5/krbhst.c                     | 12 +++++++++---
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/kdc/altsecid_gss_preauth_authorizer.c b/kdc/altsecid_gss_preauth_authorizer.c
index d48ea584b..17d3ee31b 100644
--- a/kdc/altsecid_gss_preauth_authorizer.c
+++ b/kdc/altsecid_gss_preauth_authorizer.c
@@ -167,6 +167,13 @@ ad_connect(krb5_context context,
     } *s, *servers = NULL;
     size_t i, num_servers = 0;
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	ret = KRB5KDC_ERR_SVC_UNAVAILABLE;
+        krb5_set_error_message(context, ret, "DNS blocked when finding AD DC");
+	return ret;
+    }
+
     {
         struct rk_dns_reply *r;
         struct rk_resource_record *rr;
diff --git a/lib/krb5/get_host_realm.c b/lib/krb5/get_host_realm.c
index 7b58fe9a4..4141a8cfe 100644
--- a/lib/krb5/get_host_realm.c
+++ b/lib/krb5/get_host_realm.c
@@ -116,6 +116,14 @@ dns_find_realm(krb5_context context,
     char **config_labels;
     int i, ret = 0;
 
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL)) {
+	ret = KRB5_KDC_UNREACH;
+        krb5_set_error_message(context, ret,
+	    "Realm lookup failed: DNS blocked");
+	return ret;
+    }
+
     config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
 					    "dns_lookup_realm_labels", NULL);
     if(config_labels != NULL)
diff --git a/lib/krb5/krbhst.c b/lib/krb5/krbhst.c
index 91cce2bfa..10143a574 100644
--- a/lib/krb5/krbhst.c
+++ b/lib/krb5/krbhst.c
@@ -795,7 +795,9 @@ kdc_get_next(krb5_context context,
 	return KRB5_KDC_UNREACH;
     }
 
-    if(context->srv_lookup) {
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL) &&
+	context->srv_lookup) {
 	if(kd->sitename && (kd->flags & KD_SITE_SRV_TCP) == 0) {
 	    srv_get_hosts(context, kd, kd->sitename, "tcp", "kerberos");
 	    kd->flags |= KD_SITE_SRV_TCP;
@@ -867,7 +869,9 @@ admin_get_next(krb5_context context,
 	return KRB5_KDC_UNREACH;
     }
 
-    if(context->srv_lookup) {
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL) &&
+	context->srv_lookup) {
 	if((kd->flags & KD_SRV_TCP) == 0) {
 	    srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
 	    kd->flags |= KD_SRV_TCP;
@@ -921,7 +925,9 @@ kpasswd_get_next(krb5_context context,
 	return KRB5_KDC_UNREACH;
     }
 
-    if(context->srv_lookup) {
+    if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+	    NULL) &&
+	context->srv_lookup) {
 	if((kd->flags & KD_SRV_UDP) == 0) {
 	    srv_get_hosts(context, kd, NULL, "udp", kd->srv_label);
 	    kd->flags |= KD_SRV_UDP;