Nfz - Name Fuzzing Generator
This modifier allows to generate various illegal and malformed domain names based on the selected variant and size.
This generator was primarily created for the alias features (such as alias, cnalias, dnalias, etc.) to provide a unified mechanism for generating malformed domain names.
The module enables experimentation with the structure of domain names and the key aspects and limitations of how domain names and IP addresses are transmitted during DNS communication. The most notable aspects include:
-
DNS name notation defines how domain names are represented and transmitted over the network. In this notation, each domain is divided into subdomains (labels), with the size of each label prepended before the label itself. The domain name ends with a NULL byte, representing the ROOT domain.
- For example:
www.example.com
is transmitted as[3]www[7]example[3]com[0]
. Note that actual dot (.) symbols are never transmitted.
- For example:
-
The total size of a domain name cannot exceed 253 characters.
-
The size of a single label (a subdomain) cannot exceed 63 characters.
-
IP addresses are transmitted as raw bytes. An IPv4 address simply consists of 4 consecutive bytes, and an IPv6 address consists of 16 consecutive bytes. Actual dot (.) or colon (:) symbols are never transmitted.
-
Permitted characters in domain names include letters (a-z), digits (0-9), and hyphens (-). While domain names typically use ASCII characters, internationalized domain names (IDNs) rely on Punycode to represent non-ASCII characters.
-
Domain names cannot contain binary or non-printable characters. Additionally:
-
Labels (subdomains) cannot begin or end with a hyphen (-).
-
Spaces and special characters (like @, #, $, etc.) are not allowed.
-
Domain names are case-insensitive (e.g.,
Example.COM
is equivalent toexample.com
).
-
Category: Fuzzing
Format
*.nfz<VARIANT>.s<SUBDOMAINS>.m<MALFORMATION>.p<POSITION>.*
Where:
-
The
VARIANT
parameter specifies the particular name fuzzing variant. The following 7 customizable variants are supported:-
nfz0
generates a standalone malformation only. -
nfz1
generates a malformation within thealways.yourdomain.com
(resolvable) domain. -
nfz2
generates a malformation within thenonres.yourdomain.com
(non-resolvable) domain. -
nfz3
generates a malformation within the same feature domain (e.g.,alias.yourdomain.com
). -
nfz4
generates a malformation within thealways######.yourdomain.com
(resolvable) domain, where######
represents a random number. -
nfz5
generates a malformation within thenonres######.yourdomain.com
(non-resolvable) domain, where######
represents a random number. -
nfz6
generates a malformation within the same feature domain (e.g.,alias######.yourdomain.com
), where######
represents a random number.
-
-
The
SUBDOMAINS
parameter specifies the number of subdomains that the malformation should consist of. By default, a single subdomain is generated if this parameter is not specified. -
The
MALFORMATION
parameter specifies the type of malformation to generate. There are 10 different variants supported, which produce the following results:-
m0.[SIZE]
generates NULL byte string of the specified size. -
m1.[SIZE]
generates a string made of random letter or number, with the same character repeated. -
m2.[SIZE]
generates a string made of random letter or number, with each character being random. -
m3.[SIZE]
generates a string made of random printable character, with the same character repeated. -
m4.[SIZE]
generates a string made of random printable character, with each character being random. -
m5.[SIZE]
generates random byte string with the same byte repeated. -
m6.[SIZE]
generates random byte string with each byte being random. -
m7.[SIZE]
generates incremental byte string with the same byte repeated. -
m8.[SIZE]
generates incremental byte string with each byte being incremented. -
m9.[SIZE].[BYTE]
generates a string made of a specific byte value and size.
-
-
The
POSITION
parameter specifies the insertion point where the malformation should occur. This is applicable only tonfz1
throughnfz6
variants, with the following 13 insertion points (positions) available:-
p0
generates malformation<HERE>.always######.yourdomain.com
. -
p1
generates malformation<HERE>always######.yourdomain.com
. -
p2
generates malformationalways<HERE>######.yourdomain.com
. -
p3
generates malformationalways######<HERE>.yourdomain.com
. -
p4
generates malformationalways######<HERE>yourdomain.com
. -
p5
generates malformationalways######.<HERE>.yourdomain.com
. -
p6
generates malformationalways######.<HERE>yourdomain.com
. -
p7
generates malformationalways######.yourdomain<HERE>.com
. -
p8
generates malformationalways######.yourdomain<HERE>com
. -
p9
generates malformationalways######.yourdomain.<HERE>.com
. -
p10
generates malformationalways######.yourdomain.<HERE>com
. -
p11
generates malformationalways######.yourdomain.com<HERE>
. -
p12
generates malformationalways######.yourdomain.com.<HERE>
.
-
Additionaly, the following alternative format is supported without any other additional parameters:
*.nfz<VARIANT>.*
Where:
-
The
VARIANT
parameter specifies the particular name fuzzing variant. The following 12 non-customizable variants are supported:-
nfz7
generates only the ROOT domain (.
) -
nfz8
generates a malformed name consisting of a random domain in the formatalways######.yourdomain.com:80
-
nfz9
generates a malformed name consisting of a random domain in the formatalways######.yourdomain.com:443
-
nfz10
generates a malformed name consisting of a random domain in the formathttp://always######.yourdomain.com/
-
nfz11
generates a malformed name consisting of a random domain in the formathttp://always######.yourdomain.com:80/
-
nfz12
generates a malformed name consisting of a random domain in the formathttps://always######.yourdomain.com/
-
nfz13
generates a malformed name consisting of a random domain in the formathttps://always######.yourdomain.com:443/
-
nfz14
generates a malformed name consisting of1.2.3.4
(an IP address in DNS name notation) -
nfz15
generates a malformed name consisting of1.2.3.4:80
(an IP address and port in DNS name notation) -
nfz16
generates a malformed name consisting of1\.2\.3\.4
(an IP address in DNS name notation, represented as a single label with literal dot symbols) -
nfz17
generates a malformed name consisting of1\.2\.3\.4:80
(an IP address and port in DNS name notation, represented as a single label with literal dot symbols) -
nfz18
generates a malformed name consisting of127.0.0.1
(our own IP address in DNS name notation) -
nfz19
generates a malformed name consisting of127.0.0.1:80
(our own IP address and port in DNS name notation)
-
Examples
To demonstrate the capabilities of this name fuzzing generator, all the examples below use the alias feature to produce five CNAME
sample alias records. The target domain names are malformed using the generator in different configurations and combinations.
For reference, the first example demonstrates the default behavior of the alias feature without involving any name fuzzing:
# dig alias.5.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.5.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16317 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.5.yourdomain.com. IN A ;; ANSWER SECTION: alias.5.yourdomain.com. 60 IN CNAME alias259422.5.yourdomain.com. alias.5.yourdomain.com. 60 IN CNAME alias434060.5.yourdomain.com. alias.5.yourdomain.com. 60 IN CNAME alias415975.5.yourdomain.com. alias.5.yourdomain.com. 60 IN CNAME alias183368.5.yourdomain.com. alias.5.yourdomain.com. 60 IN CNAME alias644227.5.yourdomain.com. ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:15 +04 2025 ;; MSG SIZE rcvd: 250
Now we incorporate the name fuzzer into the query. In this example, we use the nfz0
variant which generates a standalone malformation. Without any additional options, it generates a malformation consisting of a single NULL byte (\000
):
# dig alias.5.nfz0.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64356 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.5.nfz0.yourdomain.com. IN A ;; ANSWER SECTION: alias.5.nfz0.yourdomain.com. 60 IN CNAME \000. alias.5.nfz0.yourdomain.com. 60 IN CNAME \000. alias.5.nfz0.yourdomain.com. 60 IN CNAME \000. alias.5.nfz0.yourdomain.com. 60 IN CNAME \000. alias.5.nfz0.yourdomain.com. 60 IN CNAME \000. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:16 +04 2025 ;; MSG SIZE rcvd: 120
By using the s<SIZE>
parameter, we can specify that the malformation should consist of multiple subdomains. In this example, we request the malformation to include 3 subdomains by adding the s3
parameter in the query. Without any other parameters, each subdomain will contain a single NULL byte (\000
):
# dig alias.5.nfz0.s3.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.s3.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6661 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.5.nfz0.s3.yourdomain.com. IN A ;; ANSWER SECTION: alias.5.nfz0.s3.yourdomain.com. 60 IN CNAME \000.\000.\000. alias.5.nfz0.s3.yourdomain.com. 60 IN CNAME \000.\000.\000. alias.5.nfz0.s3.yourdomain.com. 60 IN CNAME \000.\000.\000. alias.5.nfz0.s3.yourdomain.com. 60 IN CNAME \000.\000.\000. alias.5.nfz0.s3.yourdomain.com. 60 IN CNAME \000.\000.\000. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:17 +04 2025 ;; MSG SIZE rcvd: 143
We can achieve the same result as the previous example by explicitly specifying the malformation variant m0
. The m0
variant is the default malformation, generating a single NULL byte (\000
):
# dig alias.5.nfz0.s3.m0.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.s3.m0.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53480 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.5.nfz0.s3.m0.yourdomain.com. IN A ;; ANSWER SECTION: alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME \000.\000.\000. alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME \000.\000.\000. alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME \000.\000.\000. alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME \000.\000.\000. alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME \000.\000.\000. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:19 +04 2025 ;; MSG SIZE rcvd: 146
Note that the malformation parameter also allows specifying the size (length) of the malformation.
In this example, we request the malformation to consist of 2 NULL bytes. This can be achieved by including the m0.2
parameter in the query:
# dig alias.5.nfz0.s3.m0.2.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.s3.m0.2.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62731 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.5.nfz0.s3.m0.2.yourdomain.com. IN A ;; ANSWER SECTION: alias.5.nfz0.s3.m0.2.yourdomain.com. 60 IN CNAME \000\000.\000\000.\000\000. alias.5.nfz0.s3.m0.2.yourdomain.com. 60 IN CNAME \000\000.\000\000.\000\000. alias.5.nfz0.s3.m0.2.yourdomain.com. 60 IN CNAME \000\000.\000\000.\000\000. alias.5.nfz0.s3.m0.2.yourdomain.com. 60 IN CNAME \000\000.\000\000.\000\000. alias.5.nfz0.s3.m0.2.yourdomain.com. 60 IN CNAME \000\000.\000\000.\000\000. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:20 +04 2025 ;; MSG SIZE rcvd: 163
As a result, each of the 3 subdomains now consists of 2 NULL bytes (\000
).
The malformation parameter (m
) supports 10 different malformation variants. So far, we have explored only NULL bytes. In this example, we generate a malformation consisting of random letters and numbers. This can be achieved by using the m2
malformation:
# dig alias.5.nfz0.s3.m2.2.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.s3.m2.2.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28755 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.5.nfz0.s3.m2.2.yourdomain.com. IN A ;; ANSWER SECTION: alias.5.nfz0.s3.m2.2.yourdomain.com. 60 IN CNAME 2f.6s.nd. alias.5.nfz0.s3.m2.2.yourdomain.com. 60 IN CNAME 78.66.3r. alias.5.nfz0.s3.m2.2.yourdomain.com. 60 IN CNAME xm.5v.dt. alias.5.nfz0.s3.m2.2.yourdomain.com. 60 IN CNAME hp.lp.no. alias.5.nfz0.s3.m2.2.yourdomain.com. 60 IN CNAME wy.br.mo. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:21 +04 2025 ;; MSG SIZE rcvd: 163
As a result, each of the 3 subdomains now consists of 2 random letter and numbers.
Now, instead of generating a standalone malformation (using the nfz0
parameter), we can generate the malformation within a legitimate domain name, such as always123456.yourdomain.com
. To achieve this, we use the nfz4
variant while keeping all other parameters the same:
# dig alias.5.nfz4.s3.m2.2.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz4.s3.m2.2.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4808 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.5.nfz4.s3.m2.2.yourdomain.com. IN A ;; ANSWER SECTION: alias.5.nfz4.s3.m2.2.yourdomain.com. 60 IN CNAME rn.at.qv.always202808.yourdomain.com. alias.5.nfz4.s3.m2.2.yourdomain.com. 60 IN CNAME em.mv.95.always132544.yourdomain.com. alias.5.nfz4.s3.m2.2.yourdomain.com. 60 IN CNAME 9x.zh.eg.always987898.yourdomain.com. alias.5.nfz4.s3.m2.2.yourdomain.com. 60 IN CNAME zx.86.82.always613148.yourdomain.com. alias.5.nfz4.s3.m2.2.yourdomain.com. 60 IN CNAME 1w.jf.pk.always884560.yourdomain.com. ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:22 +04 2025 ;; MSG SIZE rcvd: 303
We can see that the malformation occured at the beginning of the target domain name, which is the default insertion point (position).
We can change the position for the malformation using the p<POS>
parameter. There are 13 insertion points (positions) available. In this case, we request to insert the malformation in the middle of the target domain name by using the p4
paramater:
# dig alias.5.nfz4.s3.m2.2.p4.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz4.s3.m2.2.p4.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57600 ;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.5.nfz4.s3.m2.2.p4.yourdomain.com. IN A ;; ANSWER SECTION: alias.5.nfz4.s3.m2.2.p4.yourdomain.com. 60 IN CNAME always797836e5.a2.5qyourdomain.com. alias.5.nfz4.s3.m2.2.p4.yourdomain.com. 60 IN CNAME always165747u8.h2.0xyourdomain.com. alias.5.nfz4.s3.m2.2.p4.yourdomain.com. 60 IN CNAME always83654888.jl.mxyourdomain.com. alias.5.nfz4.s3.m2.2.p4.yourdomain.com. 60 IN CNAME always4981675j.4i.40yourdomain.com. alias.5.nfz4.s3.m2.2.p4.yourdomain.com. 60 IN CNAME always506886wl.vv.9jyourdomain.com. ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:24 +04 2025 ;; MSG SIZE rcvd: 296
We can see that the malformation occured in the middle of the target domain name.
It’s important to note that this generator can be used in conjunction with other features, not limited to the alias feature.
In this example, we use the mxalias feature to request the generation of 10 MX alias records. Additionally, we specify the insertion of 5 random bytes (malformation m6.5
) at the end of each domain name (position p11
):
# dig mxalias.10.nfz4.m6.5.p11.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> mxalias.10.nfz4.m6.5.p11.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64058 ;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mxalias.10.nfz4.m6.5.p11.yourdomain.com. IN A ;; ANSWER SECTION: mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always637611.yourdomain.como\146\189=\129. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always031761.yourdomain.com\208\188>\176b. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always995918.yourdomain.com\018W\151o\219. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always759031.yourdomain.comY\176\238\228\020. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always858743.yourdomain.comm=\024\173E. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always175948.yourdomain.com\179\207y\.\148. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always277526.yourdomain.com\192g\187J\026. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always153513.yourdomain.com\016In\027h. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always645000.yourdomain.comk\226\166\012H. mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always941773.yourdomain.com\203\211\232\156\021. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:25 +04 2025 ;; MSG SIZE rcvd: 537
The generator allows the creation of domain names that violate DNS standards, enabling experimentation with domain and subdomain lengths.
For instance, in this example, we generate a single domain (variant nfz0
) consisting of 63 random letters (malformation m2.63
). As you may know, DNS standards specify that a subdomain cannot exceed 63 characters in length:
# dig alias.nfz0.m2.63.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> alias.nfz0.m2.63.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9276 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.nfz0.m2.63.yourdomain.com. IN A ;; ANSWER SECTION: alias.nfz0.m2.63.yourdomain.com. 60 IN CNAME w8oh98hfydubgkm685edjt1xd0erx0ua8q9bcwwzigjcnhzpukxpgnenwjgqsnn. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:26 +04 2025 ;; MSG SIZE rcvd: 126
We can see that this domain name does not appear to cause any immediate issues.
Now, we modify the query to generate a single domain consisting of 64 random letters (malformation m2.64
). This directly violates DNS specifications, as a subdomain cannot exceed 63 characters in length:
# dig alias.nfz0.m2.64.yourdomain.com @127.0.0.1
;; Got bad packet: bad label type
127 bytes
40 a6 84 00 00 01 00 01 00 00 00 00 05 61 6c 69 @............ali
61 73 04 6e 66 7a 30 02 6d 32 02 36 34 0a 79 6f as.nfz0.m2.64.yo
75 72 64 6f 6d 61 69 6e 03 63 6f 6d 00 00 01 00 urdomain.com....
01 c0 0c 00 05 00 01 00 00 00 3c 00 42 40 31 6a ..........<.B@1j
73 6b 75 76 6d 32 77 35 32 69 77 6f 36 7a 37 6a skuvm2w52iwo6z7j
33 32 35 73 65 77 72 79 62 76 74 37 67 77 6a 73 325sewrybvt7gwjs
6d 6f 7a 32 64 6e 6c 37 65 30 61 79 62 6b 6c 76 moz2dnl7e0aybklv
70 6d 6e 67 35 34 78 39 69 30 6e 79 6e 70 00 pmng54x9i0nynp.
In this case, we can see that the client (dig) is unable to parse this response because the resulting subdomain length (64 characters) exceeds the limit specified in DNS standards.
By combining various parameters, we can generate countless variations of malformations.
In this example, we generate a simple malformation by inserting a NULL byte (\000
) into the target domain name at every possible position using different p<POS>
parameters. This allows us to observe how the malformation manifests at various positions within the domain name:
# dig alias.nfz6.m0.p0.yourdomain.com @127.0.0.1 +short --> \000.alias199246.yourdomain.com. # dig alias.nfz6.m0.p1.yourdomain.com @127.0.0.1 +short --> \000alias508882.yourdomain.com. # dig alias.nfz6.m0.p2.yourdomain.com @127.0.0.1 +short --> alias\000661625.yourdomain.com. # dig alias.nfz6.m0.p3.yourdomain.com @127.0.0.1 +short --> alias645718\000.yourdomain.com. # dig alias.nfz6.m0.p4.yourdomain.com @127.0.0.1 +short --> alias287171\000yourdomain.com. # dig alias.nfz6.m0.p5.yourdomain.com @127.0.0.1 +short --> alias359097.\000.yourdomain.com. # dig alias.nfz6.m0.p6.yourdomain.com @127.0.0.1 +short --> alias663104.\000yourdomain.com. # dig alias.nfz6.m0.p7.yourdomain.com @127.0.0.1 +short --> alias271369.yourdomain\000.com. # dig alias.nfz6.m0.p8.yourdomain.com @127.0.0.1 +short --> alias230516.yourdomain\000com. # dig alias.nfz6.m0.p9.yourdomain.com @127.0.0.1 +short --> alias704486.yourdomain.\000.com. # dig alias.nfz6.m0.p10.yourdomain.com @127.0.0.1 +short --> alias514658.yourdomain.\000com. # dig alias.nfz6.m0.p11.yourdomain.com @127.0.0.1 +short --> alias588767.yourdomain.com\000. # dig alias.nfz6.m0.p12.yourdomain.com @127.0.0.1 +short --> alias515164.yourdomain.com.\000.
Each of these malformations may have a slightly different impact on the parsing functions of a given software (client, server or library) processing these domain names.
In this example, we insert a literal dot (.
) symbol into the target domain name using the m9.1.46
malformation (where 46 is the ASCII decimal code for a dot). The insertion is applied at every possible position using different p<POS>
parameters. This allows us to observe how the malformation appears at various positions within the domain name:
# dig alias.nfz6.m9.1.46.p0.yourdomain.com @127.0.0.1 +short --> \..alias143613.yourdomain.com. # dig alias.nfz6.m9.1.46.p1.yourdomain.com @127.0.0.1 +short --> \.alias943137.yourdomain.com. # dig alias.nfz6.m9.1.46.p2.yourdomain.com @127.0.0.1 +short --> alias\.340205.yourdomain.com. # dig alias.nfz6.m9.1.46.p3.yourdomain.com @127.0.0.1 +short --> alias484224\..yourdomain.com. # dig alias.nfz6.m9.1.46.p4.yourdomain.com @127.0.0.1 +short --> alias169565\.yourdomain.com. # dig alias.nfz6.m9.1.46.p5.yourdomain.com @127.0.0.1 +short --> alias817510.\..yourdomain.com. # dig alias.nfz6.m9.1.46.p6.yourdomain.com @127.0.0.1 +short --> alias245800.\.yourdomain.com. # dig alias.nfz6.m9.1.46.p7.yourdomain.com @127.0.0.1 +short --> alias011536.yourdomain\..com. # dig alias.nfz6.m9.1.46.p8.yourdomain.com @127.0.0.1 +short --> alias997207.yourdomain\.com. # dig alias.nfz6.m9.1.46.p9.yourdomain.com @127.0.0.1 +short --> alias956856.yourdomain.\..com. # dig alias.nfz6.m9.1.46.p10.yourdomain.com @127.0.0.1 +short --> alias058339.yourdomain.\.com. # dig alias.nfz6.m9.1.46.p11.yourdomain.com @127.0.0.1 +short --> alias722072.yourdomain.com\.. # dig alias.nfz6.m9.1.46.p12.yourdomain.com @127.0.0.1 +short --> alias174168.yourdomain.com.\..
Each of these malformations could once again cause different problems when parsing these domain names.
In the last example, we generate a malformed domain name consisting of 127 subdomains, each composed of a single literal dot (.
) symbol:
# dig alias.s127.nfz0.m9.1.46.yourdomain.com @127.0.0.1 +noidnout ; <<>> DiG 9.18.10-2-Debian <<>> alias.s127.nfz0.m9.1.46.yourdomain.com @127.0.0.1 +noidnout ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39363 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;alias.s127.nfz0.m9.1.46.yourdomain.com. IN A ;; ANSWER SECTION: alias.s127.nfz0.m9.1.46.yourdomain.com. 60 IN CNAME \..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\.. ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Jan 29 15:12:32 +04 2025 ;; MSG SIZE rcvd: 323
This can certainly confuse some resolvers or clients.
From the same category
- AFuzz1 - Single A Record with Arbitrary Byte
- AFuzz2 - Many Bogus A Records and Legit A Record
- BigBinTxt - TXT Record with Multiple Binary Strings
- BigTxt - TXT Record with Multiple Text Strings
- ManyBinTxt - Many TXT Records with Binary Data
- ManyTxt - Many TXT Records with Random Text