Flgs - Set Custom Flags in the Header
This modifier enables modification of the Flags field in the DNS header of the response. Flags can be set using decimal or hexadecimal numbers, or they can be generated randomly.
This modifier is compatible with and can be combined with any other existing feature or modifier.
Category: Header manipulation
RFCs: RFC1035
Format
*.flgs<FLAGS>.*
Where:
- The
<FLAGS>
parameter can either be:- A hexadecimal number (0x0 — 0xffff)
- A decimal number (0 — 65535)
- A random number (r)
Note that in a DNS packet the Flags field is a 2-byte field, which means the maximum value can be 65535 in decimal or 0xffff in hexadecimal.
Examples
In this example, we use the basic always feature which always resolves to an IP address. Additionally, we request to set the flags in the response header to the value of 0x8403
. This value indicates that the response is a standard query response, affirms authority over the domain, and sets the reply code to NXDOMAIN
(No such name):
# dig always.flgs0x8403.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> always.flgs0x8403.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64979 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;always.flgs0x8403.yourdomain.com. IN A ;; ANSWER SECTION: always.flgs0x8403.yourdomain.com. 60 IN A 2.3.4.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Oct 16 09:13:34 +04 2024 ;; MSG SIZE rcvd: 66
This DNS response may cause confusion as it presents a valid A record in the response while simultaneously indicating that the domain does not exist.
Same as above, but the flags are specified as a decimal number:
# dig always.flgs33795.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> always.flgs33795.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 13964 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;always.flgs33795.yourdomain.com. IN A ;; ANSWER SECTION: always.flgs33795.yourdomain.com. 60 IN A 2.3.4.5 ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Oct 16 09:13:36 +04 2024 ;; MSG SIZE rcvd: 65
In this case, we request to generate completely random flags in the response. Given that there are 65535 possible combinations of flags, this may very likely cause unexpected results and errors:
# dig always.flgsr.yourdomain.com @127.0.0.1 ;; Warning: Opcode mismatch: expected QUERY, got RESERVED7 ;; communications error to 127.0.0.1#53: timed out ;; Warning: Opcode mismatch: expected QUERY, got RESERVED3 ;; communications error to 127.0.0.1#53: timed out ;; Warning: Opcode mismatch: expected QUERY, got UPDATE ;; communications error to 127.0.0.1#53: timed out ; <<>> DiG 9.18.10-2-Debian <<>> always.flgsr.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; no servers could be reached
We can see that the client is unable to interpret any of the responses.
From the same category
- Adrr - Set Additional RRs in the Header
- Anrr - Set Answer RRs in the Header
- Aurr - Set Authority RRs in the Header
- NewId - Set Random Transaction ID
- Qurr - Set Question RRs in the Header
See also
- Tc - Set Truncated Flag (Force TCP Mode)
- Noq - Remove the Query Section
- Slp - Add a Delay (Latency)
- Ttl - Set Custom TTL Value
- Len - Set Custom Length in TCP
- Cnk - Send Response in Chunks (TCP only)
- Cut - Cut N Bytes from the End of the Packet
- Add - Add N Bytes to the End of the Packet
- Rl - Recalculate Length in TCP
- Fc - Force Compression
- Nc - No Compression