Empty5 - Only DNS Header and NULL Bytes

Every DNS packet contains the following parts:

• Header:
  • Length field (TCP only, 2 bytes)
  • Transaction ID (2 bytes)
  • Flags field (2 bytes)
  • Number of Questions (2 bytes)
  • Number of Answer RRs (2 bytes)
  • Number of Authority RRs (2 bytes)
  • Number of Additional RRs (2 bytes)
• Body:
  • Queries Section: Contains QNAME, QTYPE, and QCLASS for each query.
  • Answer Section: Contains answer RRs (if any).
  • Authority Section: Contains authoritative RRs (if any).
  • Additional Section: Contains additional RRs (if any).

This module is designed to respond with an incomplete DNS response consisting only of the DNS header (containing the Transaction ID, Flags field, and the number of RRs). Instead of a body, it sends an arbitrary number of NULL bytes (\000).

This is likely to result in unexpected errors.

Note that DNS packets in TCP mode must include a Length field at the beginning. This module ensures that the Length field is correctly set when operating in TCP mode.

Category: Empty responses

Format

empty5.<NUMBER>.yourdomain.com

Where:

• The <NUMBER> parameter defines how many NULL bytes should be generated in the response. By default, a single NULL byte is generated.

Examples

In the default usage, the DNS response body consists only of a single NULL byte. The parser identifies the packet as malformed and is unable to parse it correctly since there is just a single NULL byte in the body:

# dig empty5.yourdomain.com @127.0.0.1

;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.18.10-2-Debian <<>> empty5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19658
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Oct 28 16:25:07 +04 2024
;; MSG SIZE  rcvd: 13

Download PCAP File

In this case, we request the DNS response body to consist only of 5 NULL bytes. As a result, the Query section appears severely malformed (containing only NULL bytes), and the entire Answer section is missing. The parser attempts three times to resolve the errors in this case:

# dig empty5.5.yourdomain.com @127.0.0.1

;; Warning: Message parser reports malformed message packet.
;; ;; Question section mismatch: got ./TYPE0/RESERVED0
;; communications error to 127.0.0.1#53: timed out
;; Warning: Message parser reports malformed message packet.
;; ;; Question section mismatch: got ./TYPE0/RESERVED0
;; communications error to 127.0.0.1#53: timed out
;; Warning: Message parser reports malformed message packet.
;; ;; Question section mismatch: got ./TYPE0/RESERVED0
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.10-2-Debian <<>> empty5.5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; no servers could be reached

Download PCAP File

In this case, we request the DNS response body to consist only of 100 NULL bytes. Consequently, both the Query and Answer sections are filled entirely with NULL bytes, making the packet impossible to interpret. The parser fails to process it, resulting in a format error:

# dig empty5.100.yourdomain.com @127.0.0.1

;; Got bad packet: FORMERR
112 bytes
94 ba 84 00 00 01 00 01 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................

Download PCAP File

In TCP mode, the results are the same as in the previous example in UDP mode, resulting in a format error:

# dig empty5.100.yourdomain.com @127.0.0.1 +tcp

;; Got bad packet: FORMERR
112 bytes
ae 78 84 00 00 01 00 01 00 00 00 00 00 00 00 00          .x..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................

Download PCAP File

From the same category

• Close - Close the Connection
• Empty1 - Empty Packet
• Empty2 - Only NULL Bytes
• Empty3 - Only NULL Bytes (Suitable for TCP)
• Empty4 - Only Transaction ID and NULL Bytes
• Empty6 - ANSWER Section Missing
• Empty7 - ANSWER Section Is NULL Bytes
• QueryBack1 - Query Reflection
• QueryBack2 - Query Reflection (Stripped)
• QueryBack3 - Query Reflection (To Port 53)
• QueryBack4 - Query Reflection (Random, to Port 53)
• Timeout - Do Not Respond

Go back to catalogue.