BadCompressLoop5 - Pointer Loop in CNAME Field (Variant 2)

The DNS protocol supports compressing domain names to save space by reducing redundancy for repeated domain names within DNS messages. This compression scheme can be applied to various record (resource) types, such as A, CNAME, MX, or PTR records.

This particular module is designed to respond with a single answer containing a CNAME record (alias) where the CNAME field is partially compressed.

The CNAME field includes only the abc string (a beginning of a domain name) followed by a compression pointer that points back to the beginning of the abc string.

This setup effectively creates a loop, preventing it from being assembled into a valid domain name.

Category: Bad compression

RFCs: RFC1035

Format

badcompressloop5.yourdomain.com

This module has no parameters.

Examples

In this example, we can see that the client (dig) is unable to process the response because of the compression loop:

# dig badcompressloop5.yourdomain.com @127.0.0.1

;; Got bad packet: bad compression pointer
67 bytes
41 7a 84 00 00 01 00 01 00 00 00 00 10 62 61 64          Az...........bad
63 6f 6d 70 72 65 73 73 6c 6f 6f 70 35 0a 79 6f          compressloop5.yo
75 72 64 6f 6d 61 69 6e 03 63 6f 6d 00 00 01 00          urdomain.com....
01 c0 0c 00 05 00 01 00 00 00 3c 00 06 03 61 62          ..........<...ab
63 c0 3d                                                 c.=

Download PCAP File

By examining the PCAP file in Wireshark, we can see that it detects the loop and displays the error message <Name contains a pointer that loops> while parsing the field. However, different DNS resolvers and clients may handle such malformed responses in vastly different ways, making this an intriguing use case for testing.

Like other features, you can append anything to the feature name to avoid receiving cached responses from the target DNS resolver. This forces the target resolver to actively communicate with our PolarDNS server instead of responding with cached answers. Using a random number is the most effective strategy:

# dig badcompressloop5${RANDOM}.yourdomain.com @10.211.55.2

;; Got bad packet: bad compression pointer
72 bytes
a4 6a 84 00 00 01 00 01 00 00 00 00 15 62 61 64          .j...........bad
63 6f 6d 70 72 65 73 73 6c 6f 6f 70 35 31 31 34          compressloop5114
39 30 0a 79 6f 75 72 64 6f 6d 61 69 6e 03 63 6f          90.yourdomain.co
6d 00 00 01 00 01 c0 0c 00 05 00 01 00 00 00 3c          m..............<
00 06 03 61 62 63 c0 42                                  ...abc.B

Download PCAP File

From the same category

• BadCompress1 - Custom Offset in Name Field
• BadCompress2 - Custom Offset in CNAME Field
• BadCompressFwPtr1 - Forward and Double Pointer in Name Field (Variant 1)
• BadCompressFwPtr2 - Forward and Double Pointer in Name Field (Variant 2)
• BadCompressLoop1 - Pointer Loop in Name Field (Variant 1)
• BadCompressLoop2 - Pointer Loop in Name Field (Variant 2)
• BadCompressLoop3 - Double Pointer Loop
• BadCompressLoop4 - Pointer Loop in CNAME Field (Variant 1)
• BadCompressMid1 - Compression in the Middle of CNAME

Go back to catalogue.