BadCompressLoop2 - Pointer Loop in Name Field (Variant 2)

The DNS protocol supports compressing domain names to save space by reducing redundancy for repeated domain names within DNS messages. This compression scheme can be applied to various record (resource) types, such as A, CNAME, MX, or PTR records.

This particular module is designed to respond with a single answer containing a CNAME record (alias) where the Name field is partially compressed.

The Name field includes only the abc string (a beginning of a domain name) followed by a compression pointer that points back to the beginning of the abc string. This setup effectively creates a loop.

Category: Bad compression

RFCs: RFC1035

Format

badcompressloop2.yourdomain.com

This module has no parameters.

Examples

In this example, we can see that the client (dig) is unable to process the response because of the compression loop:

# dig badcompressloop2.yourdomain.com @127.0.0.1

;; Got bad packet: bad compression pointer
93 bytes
5f 6a 84 00 00 01 00 01 00 00 00 00 10 62 61 64          _j...........bad
63 6f 6d 70 72 65 73 73 6c 6f 6f 70 32 0a 79 6f          compressloop2.yo
75 72 64 6f 6d 61 69 6e 03 63 6f 6d 00 00 01 00          urdomain.com....
01 03 61 62 63 c0 31 00 05 00 01 00 00 00 3c 00          ..abc.1.......<.
1c 0b 61 6c 77 61 79 73 39 39 33 30 37 0a 79 6f          ..always99307.yo
75 72 64 6f 6d 61 69 6e 03 63 6f 6d 00                   urdomain.com.

Download PCAP File

By examining the PCAP file in Wireshark, we can see that it detects the loop and displays the error message <Name contains a pointer that loops> while parsing the field. However, different DNS resolvers and clients may handle such malformed responses in vastly different ways, making this an intriguing use case for testing.

Like other features, you can append anything to the feature name to avoid receiving cached responses from the target DNS resolver. This forces the target resolver to actively communicate with our PolarDNS server instead of responding with cached answers. Using a random number is the most effective strategy:

# dig badcompressloop2${RANDOM}.yourdomain.com @10.211.55.2

;; Got bad packet: bad compression pointer
97 bytes
c3 02 84 00 00 01 00 01 00 00 00 00 14 62 61 64          .............bad
63 6f 6d 70 72 65 73 73 6c 6f 6f 70 32 32 34 39          compressloop2249
34 0a 79 6f 75 72 64 6f 6d 61 69 6e 03 63 6f 6d          4.yourdomain.com
00 00 01 00 01 03 61 62 63 c0 35 00 05 00 01 00          ......abc.5.....
00 00 3c 00 1c 0b 61 6c 77 61 79 73 38 34 31 31          ..<...always8411
33 0a 79 6f 75 72 64 6f 6d 61 69 6e 03 63 6f 6d          3.yourdomain.com
00                                                       .

Download PCAP File

From the same category

• BadCompress1 - Custom Offset in Name Field
• BadCompress2 - Custom Offset in CNAME Field
• BadCompressFwPtr1 - Forward and Double Pointer in Name Field (Variant 1)
• BadCompressFwPtr2 - Forward and Double Pointer in Name Field (Variant 2)
• BadCompressLoop1 - Pointer Loop in Name Field (Variant 1)
• BadCompressLoop3 - Double Pointer Loop
• BadCompressLoop4 - Pointer Loop in CNAME Field (Variant 1)
• BadCompressLoop5 - Pointer Loop in CNAME Field (Variant 2)
• BadCompressMid1 - Compression in the Middle of CNAME

Go back to catalogue.