Empty4 - Only Transaction ID and NULL Bytes

Every DNS packet contains the following parts:

• Header:
  • Length field (TCP only, 2 bytes)
  • Transaction ID (2 bytes)
  • Flags field (2 bytes)
  • Number of Questions (2 bytes)
  • Number of Answer RRs (2 bytes)
  • Number of Authority RRs (2 bytes)
  • Number of Additional RRs (2 bytes)
• Body:
  • Queries Section: Contains QNAME, QTYPE, and QCLASS for each query.
  • Answer Section: Contains answer RRs (if any).
  • Authority Section: Contains authoritative RRs (if any).
  • Additional Section: Contains additional RRs (if any).

This module is designed to respond with an incomplete DNS response containing only the Transaction ID, followed by an arbitrary number of NULL bytes (\000).

This is likely to result in unexpected errors.

Note that DNS packets in TCP mode must include a Length field at the beginning. This module ensures that the Length field is correctly set when operating in TCP mode.

Category: Empty responses

Format

empty4.<NUMBER>.yourdomain.com

Where:

• The <NUMBER> parameter defines how many NULL bytes should be generated in the response. By default, a single NULL byte is generated.

Examples

By default, the module generates a single NULL byte as the response. Although the response contains a valid Transaction ID, it includes nothing beyond the single NULL byte. This is insufficient for a valid DNS response, causing the client to make three attempts to resolve the error:

# dig empty4.yourdomain.com @127.0.0.1

;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out
;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out
;; Warning: short (< header size) message received
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.10-2-Debian <<>> empty4.yourdomain.com @127.0.0.1
;; global options: +cmd
;; no servers could be reached

Download PCAP File

In this example, we request 100 NULL bytes as the response. As a result, the parser only partially processes the packet. It interprets the response as a standard query (due to Flags field being \000\000) and finds that the number of questions, answers, authority, and additional records are all zero. Consequently, the parser identifies 90 extra bytes at the end of the packet:

# dig empty4.100.yourdomain.com @127.0.0.1

;; Warning: query response not set

; <<>> DiG 9.18.10-2-Debian <<>> empty4.100.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8244
;; flags:; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 90 extra bytes at end

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Oct 28 10:50:22 +04 2024
;; MSG SIZE  rcvd: 102

Download PCAP File

In TCP mode, the results are the same as in the previous example in UDP mode, resulting in significant malformations shown:

# dig empty4.100.yourdomain.com @127.0.0.1 +tcp

;; Warning: query response not set

; <<>> DiG 9.18.10-2-Debian <<>> empty4.100.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50867
;; flags:; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 90 extra bytes at end

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Mon Oct 28 10:50:24 +04 2024
;; MSG SIZE  rcvd: 102

Download PCAP File

In this example, the DNS response is sent in TCP mode (using the tc modifier) with the length field indicating that it is a 200-byte long packet (using the len modifier). However, the response body contains no data. There is only the Transaction ID and nothing else (zero NULLs bytes). As a result, the parser becomes confused and makes three attempts to resolve the error:

# dig empty4.0.len200.tc.yourdomain.com @127.0.0.1

;; Truncated, retrying in TCP mode.
;; communications error to 127.0.0.1#53: end of file
;; communications error to 127.0.0.1#53: end of file
;; communications error to 127.0.0.1#53: end of file

; <<>> DiG 9.18.10-2-Debian <<>> empty4.0.len200.tc.yourdomain.com @127.0.0.1
;; global options: +cmd
;; no servers could be reached

Download PCAP File

From the same category

• Close - Close the Connection
• Empty1 - Empty Packet
• Empty2 - Only NULL Bytes
• Empty3 - Only NULL Bytes (Suitable for TCP)
• Empty5 - Only DNS Header and NULL Bytes
• Empty6 - ANSWER Section Missing
• Empty7 - ANSWER Section Is NULL Bytes
• QueryBack1 - Query Reflection
• QueryBack2 - Query Reflection (Stripped)
• QueryBack3 - Query Reflection (To Port 53)
• QueryBack4 - Query Reflection (Random, to Port 53)
• Timeout - Do Not Respond

Go back to catalogue.