AFuzz1 - Single A Record with Arbitrary Byte
This module is designed to respond with an A record containing an arbitrary byte injected into the middle of the hostname in the ANSWER section.
In essence, this results in an incorrect response that differs only by the injected byte. Some resolvers or DNS clients may ignore the injected byte, potentially revealing broader issues with how they handle such malformed responses.
Category: Fuzzing
Format
afuzz1.<BYTE>.yourdomain.com
Where:
- The
<BYTE>parameter specifies the byte value in decimal (0 — 255) to be injected into the hostname.
Examples
In this example, we specify the injection of a NULL byte (\000) into the hostname:
# dig afuzz1.0.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> afuzz1.0.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25614 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;afuzz1.0.yourdomain.com. IN A ;; ANSWER SECTION: af\000zz1.0.yourdomain.com. 60 IN A 6.6.6.0 ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Thu Jan 02 13:25:35 +04 2025 ;; MSG SIZE rcvd: 80
In this example, we specify the injection of the 0xff (\255) character into the hostname:
# dig afuzz1.255.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> afuzz1.255.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37424 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;afuzz1.255.yourdomain.com. IN A ;; ANSWER SECTION: af\255zz1.255.yourdomain.com. 60 IN A 6.6.6.255 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Thu Jan 02 13:25:36 +04 2025 ;; MSG SIZE rcvd: 84
Like other features, you can append anything to the feature name to avoid receiving cached responses from the target DNS resolver. This forces the target resolver to actively communicate with our PolarDNS server instead of responding with cached answers. Using a random number is the most effective strategy:
# dig afuzz1${RANDOM}.255.yourdomain.com @127.0.0.1
; <<>> DiG 9.18.10-2-Debian <<>> afuzz14797.255.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11768
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;afuzz14797.255.yourdomain.com. IN A
;; ANSWER SECTION:
af\255zz14797.255.yourdomain.com. 60 IN A 6.6.6.255
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jan 02 13:25:38 +04 2025
;; MSG SIZE rcvd: 92From the same category
- AFuzz2 - Many Bogus A Records and Legit A Record
- BigBinTxt - TXT Record with Multiple Binary Strings
- BigTxt - TXT Record with Multiple Text Strings
- ManyBinTxt - Many TXT Records with Binary Data
- ManyTxt - Many TXT Records with Random Text
- Nfz - Name Fuzzing Generator