Flgs - Set Custom Flags in the Header

Flgs - Set Custom Flags in the Header

This modifier enables modification of the Flags field in the DNS header of the response. Flags can be set using decimal or hexadecimal numbers, or they can be generated randomly.

This modifier is compatible with and can be combined with any other existing feature or modifier.

Category: Header manipulation

RFCs: RFC1035

Format

*.flgs<FLAGS>.*

Where:

  • The <FLAGS> parameter can either be:
    • A hexadecimal number (0x0 — 0xffff)
    • A decimal number (0 — 65535)
    • A random number (r)

Note that in a DNS packet the Flags field is a 2-byte field, which means the maximum value can be 65535 in decimal or 0xffff in hexadecimal.

Examples

In this example, we use the basic always feature which always resolves to an IP address. Additionally, we request to set the flags in the response header to the value of 0x8403. This value indicates that the response is a standard query response, affirms authority over the domain, and sets the reply code to NXDOMAIN (No such name):

# dig always.flgs0x8403.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> always.flgs0x8403.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64979
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;always.flgs0x8403.yourdomain.com. IN	A

;; ANSWER SECTION:
always.flgs0x8403.yourdomain.com. 60 IN	A	2.3.4.5

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 09:13:34 +04 2024
;; MSG SIZE  rcvd: 66

Download PCAP File

This DNS response may cause confusion as it presents a valid A record in the response while simultaneously indicating that the domain does not exist.


Same as above, but the flags are specified as a decimal number:

# dig always.flgs33795.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> always.flgs33795.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13964
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;always.flgs33795.yourdomain.com. IN	A

;; ANSWER SECTION:
always.flgs33795.yourdomain.com. 60 IN	A	2.3.4.5

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 09:13:36 +04 2024
;; MSG SIZE  rcvd: 65

Download PCAP File


In this case, we request to generate completely random flags in the response. Given that there are 65535 possible combinations of flags, this may very likely cause unexpected results and errors:

# dig always.flgsr.yourdomain.com @127.0.0.1

;; Warning: Opcode mismatch: expected QUERY, got RESERVED7
;; communications error to 127.0.0.1#53: timed out
;; Warning: Opcode mismatch: expected QUERY, got RESERVED3
;; communications error to 127.0.0.1#53: timed out
;; Warning: Opcode mismatch: expected QUERY, got UPDATE
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.10-2-Debian <<>> always.flgsr.yourdomain.com @127.0.0.1
;; global options: +cmd
;; no servers could be reached

Download PCAP File

We can see that the client is unable to interpret any of the responses.


From the same category

See also


Go back to catalogue.