Empty3 - Only NULL Bytes (Suitable for TCP)

Empty3 - Only NULL Bytes (Suitable for TCP)

This module is designed to respond with an empty answer consisting solely of an arbitrary number of NULL bytes (\000).

Note that DNS packets in TCP mode include a length field at the beginning.

This module correctly provides the length information at the beginning of the packet in TCP mode. For a variant that does not provide the length information in TCP mode, refer to the empty2 module.

Category: Empty responses

Format

empty3.<NUMBER>.yourdomain.com

Where:

  • The <NUMBER> parameter defines how many NULL bytes should be generated in the response. By default, a single NULL byte is generated.

Examples

By default, the module generates a single NULL byte as the response. This is insufficient for a valid DNS response, causing the client to make three attempts to resolve the error:

# dig empty3.yourdomain.com @127.0.0.1

;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out
;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out
;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.10-2-Debian <<>> empty3.yourdomain.com @127.0.0.1
;; global options: +cmd
;; no servers could be reached

Download PCAP File


In this example, we request 100 NULL bytes as the response. In this case, the parser interprets the Transaction ID in the response as 0 (\000\000) which does not match the Transaction ID from the original query. As a result, the client again makes three attempts to resolve the error:

# dig empty3.100.yourdomain.com @127.0.0.1

;; Warning: ID mismatch: expected ID 5404, got 0
;; Warning: query response not set
;; communications error to 127.0.0.1#53: timed out
;; Warning: ID mismatch: expected ID 5404, got 0
;; Warning: query response not set
;; communications error to 127.0.0.1#53: timed out
;; Warning: ID mismatch: expected ID 5404, got 0
;; Warning: query response not set
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.10-2-Debian <<>> empty3.100.yourdomain.com @127.0.0.1
;; global options: +cmd
;; no servers could be reached

Download PCAP File


In this example, we switch to TCP mode and request 100 NULL bytes as the response. In this module, the length is correctly provided at the beginning of the packet, allowing the parser to proceeds with parsing the Transaction ID. It interprets the Transaction ID in the response as 0 (\000\000) which does not match the Transaction ID from the original query. In TCP mode, the client does not make any further attempts to resolve the error:

# dig empty3.100.yourdomain.com @127.0.0.1 +tcp

;; ERROR: ID mismatch: expected ID 64330, got 0

Download PCAP File


Like other features, you can append anything to the feature name to avoid receiving cached responses from the target DNS resolver. This forces the target resolver to actively communicate with our PolarDNS server instead of responding with cached answers. Using a random number is the most effective strategy:

# dig empty3${RANDOM}.100.yourdomain.com @10.211.55.2

;; Warning: ID mismatch: expected ID 33773, got 0
;; Warning: query response not set
;; communications error to 10.211.55.2#53: timed out
;; Warning: ID mismatch: expected ID 33773, got 0
;; Warning: query response not set
;; communications error to 10.211.55.2#53: timed out
;; Warning: ID mismatch: expected ID 33773, got 0
;; Warning: query response not set
;; communications error to 10.211.55.2#53: timed out

; <<>> DiG 9.18.10-2-Debian <<>> empty332312.100.yourdomain.com @10.211.55.2
;; global options: +cmd
;; no servers could be reached

Download PCAP File


From the same category


Go back to catalogue.