MxLoop - MX Alias Loops

MxLoop - MX Alias Loops

This module implements alias loops using MX (Mail Exchange) records. The loops can be a direct loop, where the alias points back to the same domain name as in the original query, or they can include multiple elements, cycling through a specified number of domains.

The idea is that if the client/resolver decides to resolve this further, it will enter an infinite loop. In practice, however, most modern resolvers detect such loops and terminate the resolution.

Note that this feature provides the same functionality as requesting a MX record for the generic loop feature.

BEWAREThis can potentially lead to a domain lock-up (DoS).

Category: Alias loops

Tags: Domain Lock-Up, Denial of Service

RFCs: RFC1035

Format

mxloop.<NUMBER>.yourdomain.com

Where:

  • The <NUMBER> parameter specifies the number of elements the loop should contain.

Examples

In this example, we see a direct loop formed by sending a query that results in a MX record containing the exact same domain name as the one in the query:

# dig mxloop.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> mxloop.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7428
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mxloop.yourdomain.com.		IN	A

;; ANSWER SECTION:
mxloop.yourdomain.com.	60	IN	MX	0 mxloop.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Nov 05 11:50:15 +04 2024
;; MSG SIZE  rcvd: 76

Download PCAP File


In this example, we request a MX alias loop consisting of 5 elements:

# dig mxloop.5.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> mxloop.5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35829
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mxloop.5.yourdomain.com.	IN	A

;; ANSWER SECTION:
mxloop.5.yourdomain.com. 60	IN	MX	0 mxloop.5.1.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Nov 05 11:50:16 +04 2024
;; MSG SIZE  rcvd: 82

Download PCAP File

The resulting domain name mxloop.5.1.yourdomain.com represents the 1st element of the loop.


By resolving the 1st element, we are pointed to the 2nd element of the loop:

# dig mxloop.5.1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> mxloop.5.1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1841
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mxloop.5.1.yourdomain.com.	IN	A

;; ANSWER SECTION:
mxloop.5.1.yourdomain.com. 60	IN	MX	0 mxloop.5.2.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Nov 05 11:50:17 +04 2024
;; MSG SIZE  rcvd: 84

Download PCAP File

This continues up to the 5th and final element — mxloop.5.5.yourdomain.com.


By resolving the final element of the loop, we are directed back to the 1st element again:

# dig mxloop.5.5.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> mxloop.5.5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12627
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mxloop.5.5.yourdomain.com.	IN	A

;; ANSWER SECTION:
mxloop.5.5.yourdomain.com. 60	IN	MX	0 mxloop.5.1.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Nov 05 11:50:18 +04 2024
;; MSG SIZE  rcvd: 84

Download PCAP File

We can see that we are indeed pointed back to the 1st element again, forming a loop.


From the same category

See also


Go back to catalogue.