Cut - Cut N Bytes from the End of the Packet

Cut - Cut N Bytes from the End of the Packet

This modifier allows cutting (removing) an arbitrary number of bytes from the end of the DNS response packet.

In TCP mode, ensure the DNS packet length is recalculated by using the rl modifier.

This modifier is compatible with and can be combined with any other existing feature or modifier.

Category: Packet manipulation

Format

*.cut<NUMBER>.*

Where:

  • The <NUMBER> parameter specifies the number of bytes to be removed from the response. If the specified number exceeds the packet size, an empty packet will be sent.

Examples

All the examples below use the basic always feature which always resolves to an IP address.

In this example, we request 16 bytes to be removed from the response. This effectively removes the answer (which is exactly 16 bytes long) from the DNS response body. As a result, we see a warning about malformed packet and a missing answer:

# dig always.cut16.yourdomain.com @127.0.0.1

;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.18.10-2-Debian <<>> always.cut16.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56931
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;always.cut16.yourdomain.com.	IN	A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 00:20:05 +04 2024
;; MSG SIZE  rcvd: 45

Download PCAP File


Similar to the previous example, but in this case, we request 100 bytes to be removed from the response. Since this exceeds the size of the DNS response, this results in obtaining an empty packet. The client makes three attempts to resolve the error:

# dig always.cut100.yourdomain.com @127.0.0.1

;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out
;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out
;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.10-2-Debian <<>> always.cut100.yourdomain.com @127.0.0.1
;; global options: +cmd
;; no servers could be reached

Download PCAP File


In this case, we combine the operation with the add modifier to replace the original IP address in the response. First, we remove the last 4 bytes from the response (which correspond to the IP address in the A record), and then we add 4 bytes with the value 0xff (255 in decimal). This effectively replaces the IP address in the answer with 255.255.255.255:

# dig always.cut4.add4.0xff.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> always.cut4.add4.0xff.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29398
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;always.cut4.add4.0xff.yourdomain.com. IN A

;; ANSWER SECTION:
always.cut4.add4.0xff.yourdomain.com. 60 IN A	255.255.255.255

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 24 00:20:23 +04 2024
;; MSG SIZE  rcvd: 70

Download PCAP File


In TCP mode, we must combine this with the rl modifier to recalculate the DNS packet length.

In this example, we use TCP mode without recalculating the length. As a result, the parser assumes an error occured during transmission and makes three attempts to resolve the issue:

# dig always.cut16.yourdomain.com @127.0.0.1 +tcp

;; communications error to 127.0.0.1#53: end of file
;; communications error to 127.0.0.1#53: end of file
;; communications error to 127.0.0.1#53: end of file

; <<>> DiG 9.18.10-2-Debian <<>> always.cut16.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; no servers could be reached

Download PCAP File


After adding the rl modifier to recalculate the length, the parser successfully parses the packet and identifies that the packet was likely cut (resulting in the warning about malformed packet), similar to the behavior in the very first example using UDP mode:

# dig always.cut16.rl.yourdomain.com @127.0.0.1 +tcp

;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.18.10-2-Debian <<>> always.cut16.rl.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42721
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;always.cut16.rl.yourdomain.com.	IN	A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Oct 24 00:20:25 +04 2024
;; MSG SIZE  rcvd: 48

Download PCAP File


From the same category

See also


Go back to catalogue.