Add - Add N Bytes to the End of the Packet

Add - Add N Bytes to the End of the Packet

This modifier allows adding (appending) an arbitrary number of bytes to the end of the DNS response packet.

Additionally, it allows specifying a particular byte value for the appended bytes. This value can be defined as a decimal number, a hexadecimal number, or set to random if left unspecified.

In TCP mode, ensure the DNS packet length is recalculated by using the rl modifier.

This modifier is compatible with and can be combined with any other existing feature or modifier.

Category: Packet manipulation

Format 

*.add<NUMBER>.<BYTE>.*

Where:

  • The <NUMBER> parameter specifies the number of bytes to be added to the response. Note that a DNS packet cannot exceed a total size of 65,535 bytes.

  • The <BYTE> optional parameter can either be:

    • A hexadecimal number (0x0 — 0xff)
    • A decimal number (0 — 255)
    • Ommited, which results in a random value being used

Examples

All the examples below use the basic always feature which always resolves to an IP address.

In this example, we specify appending 10 random bytes to the end of the DNS response. This results in a warning message about 10 extra bytes at the end, but the actual response remains intact:

# dig always.add10.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> always.add10.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42424
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 10 extra bytes at end

;; QUESTION SECTION:
;always.add10.yourdomain.com.	IN	A

;; ANSWER SECTION:
always.add10.yourdomain.com. 60	IN	A	2.3.4.5

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 11:39:03 +04 2024
;; MSG SIZE  rcvd: 71

Download PCAP File


Similar to the previous example, but in this case, we specify appending 500 bytes with the value 255 (0xff in hexadecimal) to the end of the DNS response. This triggers a warning message about 500 extra bytes at the end:

# dig always.add500.255.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> always.add500.255.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36103
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 500 extra bytes at end

;; QUESTION SECTION:
;always.add500.255.yourdomain.com. IN	A

;; ANSWER SECTION:
always.add500.255.yourdomain.com. 60 IN	A	2.3.4.5

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 00:19:59 +04 2024
;; MSG SIZE  rcvd: 566

Download PCAP File


Same as the previous examples, except that we append 500 NULL bytes. Once again, we see a warning message about 500 extra bytes at the end:

# dig always.add500.0.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> always.add500.0.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47613
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 500 extra bytes at end

;; QUESTION SECTION:
;always.add500.0.yourdomain.com.	IN	A

;; ANSWER SECTION:
always.add500.0.yourdomain.com.	60 IN	A	2.3.4.5

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 00:20:00 +04 2024
;; MSG SIZE  rcvd: 564

Download PCAP File


In this case, we combine the operation with the cut modifier to replace the IP address in the answer. First, we remove the last 4 bytes from the response (which correspond to the IP address in the A record), and then we append 4 random bytes. This effectively replaces the IP address in the answer with a random IP address:

# dig always.cut4.add4.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> always.cut4.add4.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61706
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;always.cut4.add4.yourdomain.com. IN	A

;; ANSWER SECTION:
always.cut4.add4.yourdomain.com. 60 IN	A	105.104.169.227

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 00:20:01 +04 2024
;; MSG SIZE  rcvd: 65

Download PCAP File


In TCP mode, we must combine this with the rl modifier to recalculate the DNS packet length.

In this example, we use TCP mode without recalculating the length. We request to append 500 NULL bytes to the response. Since the length was not recalculated, the parser completely ignores the appended bytes:

# dig always.add500.0.yourdomain.com @127.0.0.1 +tcp

; <<>> DiG 9.18.10-2-Debian <<>> always.add500.0.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54886
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;always.add500.0.yourdomain.com.	IN	A

;; ANSWER SECTION:
always.add500.0.yourdomain.com.	60 IN	A	2.3.4.5

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Oct 24 00:20:03 +04 2024
;; MSG SIZE  rcvd: 64

Download PCAP File


After adding the rl modifier to recalculate the length, the parser now processes the entire packet and identifies the 500 extra bytes at the end:

# dig always.add500.0.rl.yourdomain.com @127.0.0.1 +tcp

; <<>> DiG 9.18.10-2-Debian <<>> always.add500.0.rl.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53263
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 500 extra bytes at end

;; QUESTION SECTION:
;always.add500.0.rl.yourdomain.com. IN	A

;; ANSWER SECTION:
always.add500.0.rl.yourdomain.com. 60 IN A	2.3.4.5

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Oct 24 00:20:04 +04 2024
;; MSG SIZE  rcvd: 567

Download PCAP File


From the same category

See also


Go back to catalogue.