Cut - Cut N Bytes from the End of the Packet
This modifier allows cutting (removing) an arbitrary number of bytes from the end of the DNS response packet.
In TCP mode, ensure the DNS packet length is recalculated by using the rl modifier.
This modifier is compatible with and can be combined with any other existing feature or modifier.
Category: Packet manipulation
Format
*.cut<NUMBER>.*
Where:
- The
<NUMBER>parameter specifies the number of bytes to be removed from the response. If the specified number exceeds the packet size, an empty packet will be sent.
Examples
All the examples below use the basic always feature which always resolves to an IP address.
In this example, we request 16 bytes to be removed from the response. This effectively removes the answer (which is exactly 16 bytes long) from the DNS response body. As a result, we see a warning about malformed packet and a missing answer:
# dig always.cut16.yourdomain.com @127.0.0.1
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.18.10-2-Debian <<>> always.cut16.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56931
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;always.cut16.yourdomain.com. IN A
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 00:20:05 +04 2024
;; MSG SIZE rcvd: 45
Similar to the previous example, but in this case, we request 100 bytes to be removed from the response. Since this exceeds the size of the DNS response, this results in obtaining an empty packet. The client makes three attempts to resolve the error:
# dig always.cut100.yourdomain.com @127.0.0.1 ;; Warning: short (< header size) message received ;; communications error to 127.0.0.1#53: timed out ;; Warning: short (< header size) message received ;; communications error to 127.0.0.1#53: timed out ;; Warning: short (< header size) message received ;; communications error to 127.0.0.1#53: timed out ; <<>> DiG 9.18.10-2-Debian <<>> always.cut100.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; no servers could be reached
In this case, we combine the operation with the add modifier to replace the original IP address in the response. First, we remove the last 4 bytes from the response (which correspond to the IP address in the A record), and then we add 4 bytes with the value 0xff (255 in decimal). This effectively replaces the IP address in the answer with 255.255.255.255:
# dig always.cut4.add4.0xff.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> always.cut4.add4.0xff.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29398 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;always.cut4.add4.0xff.yourdomain.com. IN A ;; ANSWER SECTION: always.cut4.add4.0xff.yourdomain.com. 60 IN A 255.255.255.255 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Thu Oct 24 00:20:23 +04 2024 ;; MSG SIZE rcvd: 70
In TCP mode, we must combine this with the rl modifier to recalculate the DNS packet length.
In this example, we use TCP mode without recalculating the length. As a result, the parser assumes an error occured during transmission and makes three attempts to resolve the issue:
# dig always.cut16.yourdomain.com @127.0.0.1 +tcp ;; communications error to 127.0.0.1#53: end of file ;; communications error to 127.0.0.1#53: end of file ;; communications error to 127.0.0.1#53: end of file ; <<>> DiG 9.18.10-2-Debian <<>> always.cut16.yourdomain.com @127.0.0.1 +tcp ;; global options: +cmd ;; no servers could be reached
After adding the rl modifier to recalculate the length, the parser successfully parses the packet and identifies that the packet was likely cut (resulting in the warning about malformed packet), similar to the behavior in the very first example using UDP mode:
# dig always.cut16.rl.yourdomain.com @127.0.0.1 +tcp
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.18.10-2-Debian <<>> always.cut16.rl.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42721
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;always.cut16.rl.yourdomain.com. IN A
;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Oct 24 00:20:25 +04 2024
;; MSG SIZE rcvd: 48
From the same category
- Add - Add N Bytes to the End of the Packet
- Cnk - Send Response in Chunks (TCP only)
- Fc - Force Compression
- Len - Set Custom Length in TCP
- Nc - No Compression
- Noq - Remove the Query Section
- Rl - Recalculate Length in TCP
- Slp - Add a Delay (Latency)
- Tc - Set Truncated Flag (Force TCP Mode)
- Ttl - Set Custom TTL Value
See also
- NewId - Set Random Transaction ID
- Flgs - Set Custom Flags in the Header
- Qurr - Set Question RRs in the Header
- Anrr - Set Answer RRs in the Header
- Aurr - Set Authority RRs in the Header
- Adrr - Set Additional RRs in the Header