Empty7 - ANSWER Section Is NULL Bytes

This module is designed to respond with a standard-looking DNS response that, according to the DNS header, contains a single Answer. However, the actual Answer in the body is replaced with NULL bytes (\000).

This is likely to result in unexpected errors.

Category: Empty responses

Format

empty7.yourdomain.com

This module has no parameters.

Examples

In this example, we can see that the dig client is unable to interpret the DNS response. This is because the entire ANSWER section has been replaced with NULL bytes, resulting in a format error:

# dig empty7.yourdomain.com @127.0.0.1

;; Got bad packet: FORMERR
76 bytes
45 c3 84 00 00 01 00 01 00 00 00 00 06 65 6d 70          E............emp
74 79 37 0a 79 6f 75 72 64 6f 6d 61 69 6e 03 63          ty7.yourdomain.c
6f 6d 00 00 01 00 01 00 00 00 00 00 00 00 00 00          om..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00                      ............

Download PCAP File

In TCP mode, the outcomes are the same as in the previous example in UDP mode, resulting in a format error:

# dig empty7.yourdomain.com @127.0.0.1 +tcp

;; Got bad packet: FORMERR
76 bytes
98 ac 84 00 00 01 00 01 00 00 00 00 06 65 6d 70          .............emp
74 79 37 0a 79 6f 75 72 64 6f 6d 61 69 6e 03 63          ty7.yourdomain.c
6f 6d 00 00 01 00 01 00 00 00 00 00 00 00 00 00          om..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00                      ............

Download PCAP File

Like other features, we can append anything to the feature name to avoid receiving cached responses from the target DNS resolver. This forces the target resolver to actively communicate with our PolarDNS server instead of responding with cached answers. Using a random number is the most effective strategy:

# dig empty7${RANDOM}.yourdomain.com @10.211.55.2

;; Got bad packet: FORMERR
86 bytes
c1 88 84 00 00 01 00 01 00 00 00 00 0b 65 6d 70          .............emp
74 79 37 31 38 35 39 32 0a 79 6f 75 72 64 6f 6d          ty718592.yourdom
61 69 6e 03 63 6f 6d 00 00 01 00 01 00 00 00 00          ain.com.........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00                                        ......

Download PCAP File

From the same category

• Close - Close the Connection
• Empty1 - Empty Packet
• Empty2 - Only NULL Bytes
• Empty3 - Only NULL Bytes (Suitable for TCP)
• Empty4 - Only Transaction ID and NULL Bytes
• Empty5 - Only DNS Header and NULL Bytes
• Empty6 - ANSWER Section Missing
• QueryBack1 - Query Reflection
• QueryBack2 - Query Reflection (Stripped)
• QueryBack3 - Query Reflection (To Port 53)
• QueryBack4 - Query Reflection (Random, to Port 53)
• Timeout - Do Not Respond

Go back to catalogue.