AFuzz1 - Single A Record with Arbitrary Byte

AFuzz1 - Single A Record with Arbitrary Byte

This module is designed to respond with an A record containing an arbitrary byte injected into the middle of the hostname in the ANSWER section.

In essence, this results in an incorrect response that differs only by the injected byte. Some resolvers or DNS clients may ignore the injected byte, potentially revealing broader issues with how they handle such malformed responses.

Category: Fuzzing

Format

afuzz1.<BYTE>.yourdomain.com

Where:

  • The <BYTE> parameter specifies the byte value in decimal (0 — 255) to be injected into the hostname.

Examples

In this example, we specify the injection of a NULL byte (\000) into the hostname:

# dig afuzz1.0.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> afuzz1.0.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25614
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;afuzz1.0.yourdomain.com.	IN	A

;; ANSWER SECTION:
af\000zz1.0.yourdomain.com. 60	IN	A	6.6.6.0

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jan 02 13:25:35 +04 2025
;; MSG SIZE  rcvd: 80

Download PCAP File


In this example, we specify the injection of the 0xff (\255) character into the hostname:

# dig afuzz1.255.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> afuzz1.255.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37424
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;afuzz1.255.yourdomain.com.	IN	A

;; ANSWER SECTION:
af\255zz1.255.yourdomain.com. 60 IN	A	6.6.6.255

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jan 02 13:25:36 +04 2025
;; MSG SIZE  rcvd: 84

Download PCAP File


Like other features, you can append anything to the feature name to avoid receiving cached responses from the target DNS resolver. This forces the target resolver to actively communicate with our PolarDNS server instead of responding with cached answers. Using a random number is the most effective strategy:

# dig afuzz1${RANDOM}.255.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> afuzz14797.255.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11768
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;afuzz14797.255.yourdomain.com.	IN	A

;; ANSWER SECTION:
af\255zz14797.255.yourdomain.com. 60 IN	A	6.6.6.255

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Jan 02 13:25:38 +04 2025
;; MSG SIZE  rcvd: 92

Download PCAP File


From the same category


Go back to catalogue.