Chain - Alias Chains

Chain - Alias Chains

This module implements incremental alias chains using variety of different record (resource) types. It supports the following record types:

  • CNAME (Canonical Name)
  • DNAME (Delegation Name)
  • HTTPS (HyperText Transfer Protocol Secure)
  • SVCB (Service Binding)
  • SPF (Sender Policy Framework)
  • SRV (Service Locator)
  • MX (Mail Exchange)
  • NS (Name Server)

The module returns an alias record with an incremented domain name index, forming a chain that continues to increment indefinitely.

Specifically, this module generates an alias record in the format chain###.yourdomain.com, where ### represents the incremented index.

The concept is that if the client/resolver attempts to resolve this alias further, it will generate yet another incremented alias, causing the process to continue indefinitely and potentially keeping the resolver occupied.

However, in practice, most modern resolvers detect such chains and terminate the resolution after encountering a certain number of consecutive aliases (e.g., 20 aliases) or upon reaching a specified time limit for the resolution (e.g., 30 seconds).

BEWAREThis could potentially lead to a domain lock-up (DoS).

Category: Alias chains

Tags: Domain Lock-Up, Denial of Service

RFCs: RFC1034, RFC1035, RFC2672, RFC2782, RFC2915, RFC3761, RFC4408, RFC6672, RFC7208, RFC9460

Format

chain<NUMBER>.yourdomain.com

Where:

  • The <NUMBER> parameter specifies an arbitrary number that will be incremented in the response.

Examples

By default, the module generates a CNAME alias with the index of 1:

# dig chain.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> chain.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64247
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chain.yourdomain.com.		IN	A

;; ANSWER SECTION:
chain.yourdomain.com.	60	IN	CNAME	chain1.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:31 +04 2024
;; MSG SIZE  rcvd: 73

Download PCAP File


If we attempt to resolve the resulting domain name (chain1.yourdomain.com), we receive an incremented alias record:

# dig chain1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> chain1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56389
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chain1.yourdomain.com.		IN	A

;; ANSWER SECTION:
chain1.yourdomain.com.	60	IN	CNAME	chain2.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:32 +04 2024
;; MSG SIZE  rcvd: 74

Download PCAP File


If we continue to resolve the next domain name (chain2.yourdomain.com), we again receive an incremented alias record:

# dig chain2.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> chain2.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21790
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chain2.yourdomain.com.		IN	A

;; ANSWER SECTION:
chain2.yourdomain.com.	60	IN	CNAME	chain3.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:33 +04 2024
;; MSG SIZE  rcvd: 74

Download PCAP File


This resolution process can continue indefinitely, as there are no limits on the size of the index number. Each resolution yields another incremented alias record:

# dig chain9999999999999999999999999.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> chain9999999999999999999999999.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36288
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chain9999999999999999999999999.yourdomain.com. IN A

;; ANSWER SECTION:
chain9999999999999999999999999.yourdomain.com. 60 IN CNAME chain10000000000000000000000000.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:34 +04 2024
;; MSG SIZE  rcvd: 123

Download PCAP File

The domain name will never be fully resolved as the incremental process continues indefinitely.


As mentioned in the description, this module supports multiple different record types. In this example, we ask for a DNAME record type. Specifically, we request a DNAME alias record with an index of 100:

# dig DNAME chain100.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> DNAME chain100.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56380
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chain100.yourdomain.com.	IN	DNAME

;; ANSWER SECTION:
chain100.yourdomain.com. 60	IN	DNAME	chain101.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:36 +04 2024
;; MSG SIZE  rcvd: 78

Download PCAP File

We can see that we received an incremented DNAME alias record.


In this example, we request an MX record with an index of 1,000:

# dig MX chain1000.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> MX chain1000.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61690
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chain1000.yourdomain.com.	IN	MX

;; ANSWER SECTION:
chain1000.yourdomain.com. 60	IN	MX	0 chain1001.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:37 +04 2024
;; MSG SIZE  rcvd: 82

Download PCAP File

We can see that we received an incremented MX alias record.


In this example, we request an SPF record with an index of 10,000. Since SPF records are published within TXT records, we request a TXT record in this case:

# dig TXT chain10000.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> TXT chain10000.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63066
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chain10000.yourdomain.com.	IN	TXT

;; ANSWER SECTION:
chain10000.yourdomain.com. 60	IN	TXT	"v=spf1 include:chain10001.yourdomain.com ~all"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:38 +04 2024
;; MSG SIZE  rcvd: 101

Download PCAP File

Again, we received an incremented SPF alias record as the answer. The domain name will never be fully resolved as the incremental process continues indefinitely.


From the same category

See also


Go back to catalogue.