Add - Add N Bytes to the End of the Packet
This modifier allows adding (appending) an arbitrary number of bytes to the end of the DNS response packet.
Additionally, it allows specifying a particular byte value for the appended bytes. This value can be defined as a decimal number, a hexadecimal number, or set to random if left unspecified.
In TCP mode, ensure the DNS packet length is recalculated by using the rl modifier.
This modifier is compatible with and can be combined with any other existing feature or modifier.
Category: Packet manipulation
Format
*.add<NUMBER>.<BYTE>.*
Where:
-
The
<NUMBER>
parameter specifies the number of bytes to be added to the response. Note that a DNS packet cannot exceed a total size of 65,535 bytes. -
The
<BYTE>
optional parameter can either be:- A hexadecimal number (0x0 — 0xff)
- A decimal number (0 — 255)
- Ommited, which results in a random value being used
Examples
All the examples below use the basic always feature which always resolves to an IP address.
In this example, we specify appending 10 random bytes to the end of the DNS response. This results in a warning message about 10 extra bytes at the end, but the actual response remains intact:
# dig always.add10.yourdomain.com @127.0.0.1
; <<>> DiG 9.18.10-2-Debian <<>> always.add10.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42424
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 10 extra bytes at end
;; QUESTION SECTION:
;always.add10.yourdomain.com. IN A
;; ANSWER SECTION:
always.add10.yourdomain.com. 60 IN A 2.3.4.5
;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 11:39:03 +04 2024
;; MSG SIZE rcvd: 71
Similar to the previous example, but in this case, we specify appending 500 bytes with the value 255 (0xff in hexadecimal) to the end of the DNS response. This triggers a warning message about 500 extra bytes at the end:
# dig always.add500.255.yourdomain.com @127.0.0.1
; <<>> DiG 9.18.10-2-Debian <<>> always.add500.255.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36103
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 500 extra bytes at end
;; QUESTION SECTION:
;always.add500.255.yourdomain.com. IN A
;; ANSWER SECTION:
always.add500.255.yourdomain.com. 60 IN A 2.3.4.5
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 00:19:59 +04 2024
;; MSG SIZE rcvd: 566
Same as the previous examples, except that we append 500 NULL bytes. Once again, we see a warning message about 500 extra bytes at the end:
# dig always.add500.0.yourdomain.com @127.0.0.1
; <<>> DiG 9.18.10-2-Debian <<>> always.add500.0.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47613
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 500 extra bytes at end
;; QUESTION SECTION:
;always.add500.0.yourdomain.com. IN A
;; ANSWER SECTION:
always.add500.0.yourdomain.com. 60 IN A 2.3.4.5
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 00:20:00 +04 2024
;; MSG SIZE rcvd: 564
In this case, we combine the operation with the cut modifier to replace the IP address in the answer. First, we remove the last 4 bytes from the response (which correspond to the IP address in the A record), and then we append 4 random bytes. This effectively replaces the IP address in the answer with a random IP address:
# dig always.cut4.add4.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> always.cut4.add4.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61706 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;always.cut4.add4.yourdomain.com. IN A ;; ANSWER SECTION: always.cut4.add4.yourdomain.com. 60 IN A 105.104.169.227 ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Thu Oct 24 00:20:01 +04 2024 ;; MSG SIZE rcvd: 65
In TCP mode, we must combine this with the rl modifier to recalculate the DNS packet length.
In this example, we use TCP mode without recalculating the length. We request to append 500 NULL bytes to the response. Since the length was not recalculated, the parser completely ignores the appended bytes:
# dig always.add500.0.yourdomain.com @127.0.0.1 +tcp ; <<>> DiG 9.18.10-2-Debian <<>> always.add500.0.yourdomain.com @127.0.0.1 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54886 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;always.add500.0.yourdomain.com. IN A ;; ANSWER SECTION: always.add500.0.yourdomain.com. 60 IN A 2.3.4.5 ;; Query time: 8 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP) ;; WHEN: Thu Oct 24 00:20:03 +04 2024 ;; MSG SIZE rcvd: 64
After adding the rl modifier to recalculate the length, the parser now processes the entire packet and identifies the 500 extra bytes at the end:
# dig always.add500.0.rl.yourdomain.com @127.0.0.1 +tcp
; <<>> DiG 9.18.10-2-Debian <<>> always.add500.0.rl.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53263
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 500 extra bytes at end
;; QUESTION SECTION:
;always.add500.0.rl.yourdomain.com. IN A
;; ANSWER SECTION:
always.add500.0.rl.yourdomain.com. 60 IN A 2.3.4.5
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Oct 24 00:20:04 +04 2024
;; MSG SIZE rcvd: 567
From the same category
- Cnk - Send Response in Chunks (TCP only)
- Cut - Cut N Bytes from the End of the Packet
- Fc - Force Compression
- Len - Set Custom Length in TCP
- Nc - No Compression
- Noq - Remove the Query Section
- Rl - Recalculate Length in TCP
- Slp - Add a Delay (Latency)
- Tc - Set Truncated Flag (Force TCP Mode)
- Ttl - Set Custom TTL Value
See also
- NewId - Set Random Transaction ID
- Flgs - Set Custom Flags in the Header
- Qurr - Set Question RRs in the Header
- Anrr - Set Answer RRs in the Header
- Aurr - Set Authority RRs in the Header
- Adrr - Set Additional RRs in the Header