Nfz - Name Fuzzing Generator

Nfz - Name Fuzzing Generator

This modifier allows to generate various illegal and malformed domain names based on the selected variant and size.

This generator was primarily created for the alias features (such as alias, cnalias, dnalias, etc.) to provide a unified mechanism for generating malformed domain names.

The module enables experimentation with the structure of domain names and the key aspects and limitations of how domain names and IP addresses are transmitted during DNS communication. The most notable aspects include:

  • DNS name notation defines how domain names are represented and transmitted over the network. In this notation, each domain is divided into subdomains (labels), with the size of each label prepended before the label itself. The domain name ends with a NULL byte, representing the ROOT domain.

    • For example: www.example.com is transmitted as [3]www[7]example[3]com[0]. Note that actual dot (.) symbols are never transmitted.
  • The total size of a domain name cannot exceed 253 characters.

  • The size of a single label (a subdomain) cannot exceed 63 characters.

  • IP addresses are transmitted as raw bytes. An IPv4 address simply consists of 4 consecutive bytes, and an IPv6 address consists of 16 consecutive bytes. Actual dot (.) or colon (:) symbols are never transmitted.

  • Permitted characters in domain names include letters (a-z), digits (0-9), and hyphens (-). While domain names typically use ASCII characters, internationalized domain names (IDNs) rely on Punycode to represent non-ASCII characters.

  • Domain names cannot contain binary or non-printable characters. Additionally:

    • Labels (subdomains) cannot begin or end with a hyphen (-).

    • Spaces and special characters (like @, #, $, etc.) are not allowed.

    • Domain names are case-insensitive (e.g., Example.COM is equivalent to example.com).

Category: Fuzzing

RFCs: RFC1034, RFC1035

Format

*.nfz<VARIANT>.s<SUBDOMAINS>.m<MALFORMATION>.p<POSITION>.*

Where:

  • The VARIANT parameter specifies the particular name fuzzing variant. The following 7 customizable variants are supported:

    • nfz0 generates a standalone malformation only.

    • nfz1 generates a malformation within the always.yourdomain.com (resolvable) domain.

    • nfz2 generates a malformation within the nonres.yourdomain.com (non-resolvable) domain.

    • nfz3 generates a malformation within the same feature domain (e.g., alias.yourdomain.com).

    • nfz4 generates a malformation within the always######.yourdomain.com (resolvable) domain, where ###### represents a random number.

    • nfz5 generates a malformation within the nonres######.yourdomain.com (non-resolvable) domain, where ###### represents a random number.

    • nfz6 generates a malformation within the same feature domain (e.g., alias######.yourdomain.com), where ###### represents a random number.

  • The SUBDOMAINS parameter specifies the number of subdomains that the malformation should consist of. By default, a single subdomain is generated if this parameter is not specified.

  • The MALFORMATION parameter specifies the type of malformation to generate. There are 10 different variants supported, which produce the following results:

    • m0.[SIZE] generates NULL byte string of the specified size.

    • m1.[SIZE] generates a string made of random letter or number, with the same character repeated.

    • m2.[SIZE] generates a string made of random letter or number, with each character being random.

    • m3.[SIZE] generates a string made of random printable character, with the same character repeated.

    • m4.[SIZE] generates a string made of random printable character, with each character being random.

    • m5.[SIZE] generates random byte string with the same byte repeated.

    • m6.[SIZE] generates random byte string with each byte being random.

    • m7.[SIZE] generates incremental byte string with the same byte repeated.

    • m8.[SIZE] generates incremental byte string with each byte being incremented.

    • m9.[SIZE].[BYTE] generates a string made of a specific byte value and size.

  • The POSITION parameter specifies the insertion point where the malformation should occur. This is applicable only to nfz1 through nfz6 variants, with the following 13 insertion points (positions) available:

    • p0 generates malformation <HERE>.always######.yourdomain.com.

    • p1 generates malformation <HERE>always######.yourdomain.com.

    • p2 generates malformation always<HERE>######.yourdomain.com.

    • p3 generates malformation always######<HERE>.yourdomain.com.

    • p4 generates malformation always######<HERE>yourdomain.com.

    • p5 generates malformation always######.<HERE>.yourdomain.com.

    • p6 generates malformation always######.<HERE>yourdomain.com.

    • p7 generates malformation always######.yourdomain<HERE>.com.

    • p8 generates malformation always######.yourdomain<HERE>com.

    • p9 generates malformation always######.yourdomain.<HERE>.com.

    • p10 generates malformation always######.yourdomain.<HERE>com.

    • p11 generates malformation always######.yourdomain.com<HERE>.

    • p12 generates malformation always######.yourdomain.com.<HERE>.

Additionaly, the following alternative format is supported without any other additional parameters:

*.nfz<VARIANT>.*

Where:

  • The VARIANT parameter specifies the particular name fuzzing variant. The following 12 non-customizable variants are supported:

    • nfz7 generates only the ROOT domain (.)

    • nfz8 generates a malformed name consisting of a random domain in the format always######.yourdomain.com:80

    • nfz9 generates a malformed name consisting of a random domain in the format always######.yourdomain.com:443

    • nfz10 generates a malformed name consisting of a random domain in the format http://always######.yourdomain.com/

    • nfz11 generates a malformed name consisting of a random domain in the format http://always######.yourdomain.com:80/

    • nfz12 generates a malformed name consisting of a random domain in the format https://always######.yourdomain.com/

    • nfz13 generates a malformed name consisting of a random domain in the format https://always######.yourdomain.com:443/

    • nfz14 generates a malformed name consisting of 1.2.3.4 (an IP address in DNS name notation)

    • nfz15 generates a malformed name consisting of 1.2.3.4:80 (an IP address and port in DNS name notation)

    • nfz16 generates a malformed name consisting of 1\.2\.3\.4 (an IP address in DNS name notation, represented as a single label with literal dot symbols)

    • nfz17 generates a malformed name consisting of 1\.2\.3\.4:80 (an IP address and port in DNS name notation, represented as a single label with literal dot symbols)

    • nfz18 generates a malformed name consisting of 127.0.0.1 (our own IP address in DNS name notation)

    • nfz19 generates a malformed name consisting of 127.0.0.1:80 (our own IP address and port in DNS name notation)

Examples

To demonstrate the capabilities of this name fuzzing generator, all the examples below use the alias feature to produce five CNAME sample alias records. The target domain names are malformed using the generator in different configurations and combinations.

For reference, the first example demonstrates the default behavior of the alias feature without involving any name fuzzing:

# dig alias.5.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16317
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.5.yourdomain.com.		IN	A

;; ANSWER SECTION:
alias.5.yourdomain.com.	60	IN	CNAME	alias259422.5.yourdomain.com.
alias.5.yourdomain.com.	60	IN	CNAME	alias434060.5.yourdomain.com.
alias.5.yourdomain.com.	60	IN	CNAME	alias415975.5.yourdomain.com.
alias.5.yourdomain.com.	60	IN	CNAME	alias183368.5.yourdomain.com.
alias.5.yourdomain.com.	60	IN	CNAME	alias644227.5.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:15 +04 2025
;; MSG SIZE  rcvd: 250

Download PCAP File


Now we incorporate the name fuzzer into the query. In this example, we use the nfz0 variant which generates a standalone malformation. Without any additional options, it generates a malformation consisting of a single NULL byte (\000):

# dig alias.5.nfz0.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64356
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.5.nfz0.yourdomain.com.	IN	A

;; ANSWER SECTION:
alias.5.nfz0.yourdomain.com. 60	IN	CNAME	\000.
alias.5.nfz0.yourdomain.com. 60	IN	CNAME	\000.
alias.5.nfz0.yourdomain.com. 60	IN	CNAME	\000.
alias.5.nfz0.yourdomain.com. 60	IN	CNAME	\000.
alias.5.nfz0.yourdomain.com. 60	IN	CNAME	\000.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:16 +04 2025
;; MSG SIZE  rcvd: 120

Download PCAP File


By using the s<SIZE> parameter, we can specify that the malformation should consist of multiple subdomains. In this example, we request the malformation to include 3 subdomains by adding the s3 parameter in the query. Without any other parameters, each subdomain will contain a single NULL byte (\000):

# dig alias.5.nfz0.s3.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.s3.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6661
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.5.nfz0.s3.yourdomain.com.	IN	A

;; ANSWER SECTION:
alias.5.nfz0.s3.yourdomain.com.	60 IN	CNAME	\000.\000.\000.
alias.5.nfz0.s3.yourdomain.com.	60 IN	CNAME	\000.\000.\000.
alias.5.nfz0.s3.yourdomain.com.	60 IN	CNAME	\000.\000.\000.
alias.5.nfz0.s3.yourdomain.com.	60 IN	CNAME	\000.\000.\000.
alias.5.nfz0.s3.yourdomain.com.	60 IN	CNAME	\000.\000.\000.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:17 +04 2025
;; MSG SIZE  rcvd: 143

Download PCAP File


We can achieve the same result as the previous example by explicitly specifying the malformation variant m0. The m0 variant is the default malformation, generating a single NULL byte (\000):

# dig alias.5.nfz0.s3.m0.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.s3.m0.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53480
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.5.nfz0.s3.m0.yourdomain.com. IN	A

;; ANSWER SECTION:
alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME	\000.\000.\000.
alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME	\000.\000.\000.
alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME	\000.\000.\000.
alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME	\000.\000.\000.
alias.5.nfz0.s3.m0.yourdomain.com. 60 IN CNAME	\000.\000.\000.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:19 +04 2025
;; MSG SIZE  rcvd: 146

Download PCAP File

Note that the malformation parameter also allows specifying the size (length) of the malformation.


In this example, we request the malformation to consist of 2 NULL bytes. This can be achieved by including the m0.2 parameter in the query:

# dig alias.5.nfz0.s3.m0.2.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.s3.m0.2.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62731
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.5.nfz0.s3.m0.2.yourdomain.com. IN	A

;; ANSWER SECTION:
alias.5.nfz0.s3.m0.2.yourdomain.com. 60	IN CNAME \000\000.\000\000.\000\000.
alias.5.nfz0.s3.m0.2.yourdomain.com. 60	IN CNAME \000\000.\000\000.\000\000.
alias.5.nfz0.s3.m0.2.yourdomain.com. 60	IN CNAME \000\000.\000\000.\000\000.
alias.5.nfz0.s3.m0.2.yourdomain.com. 60	IN CNAME \000\000.\000\000.\000\000.
alias.5.nfz0.s3.m0.2.yourdomain.com. 60	IN CNAME \000\000.\000\000.\000\000.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:20 +04 2025
;; MSG SIZE  rcvd: 163

Download PCAP File

As a result, each of the 3 subdomains now consists of 2 NULL bytes (\000).


The malformation parameter (m) supports 10 different malformation variants. So far, we have explored only NULL bytes. In this example, we generate a malformation consisting of random letters and numbers. This can be achieved by using the m2 malformation:

# dig alias.5.nfz0.s3.m2.2.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz0.s3.m2.2.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28755
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.5.nfz0.s3.m2.2.yourdomain.com. IN	A

;; ANSWER SECTION:
alias.5.nfz0.s3.m2.2.yourdomain.com. 60	IN CNAME 2f.6s.nd.
alias.5.nfz0.s3.m2.2.yourdomain.com. 60	IN CNAME 78.66.3r.
alias.5.nfz0.s3.m2.2.yourdomain.com. 60	IN CNAME xm.5v.dt.
alias.5.nfz0.s3.m2.2.yourdomain.com. 60	IN CNAME hp.lp.no.
alias.5.nfz0.s3.m2.2.yourdomain.com. 60	IN CNAME wy.br.mo.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:21 +04 2025
;; MSG SIZE  rcvd: 163

Download PCAP File

As a result, each of the 3 subdomains now consists of 2 random letter and numbers.


Now, instead of generating a standalone malformation (using the nfz0 parameter), we can generate the malformation within a legitimate domain name, such as always123456.yourdomain.com. To achieve this, we use the nfz4 variant while keeping all other parameters the same:

# dig alias.5.nfz4.s3.m2.2.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz4.s3.m2.2.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4808
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.5.nfz4.s3.m2.2.yourdomain.com. IN	A

;; ANSWER SECTION:
alias.5.nfz4.s3.m2.2.yourdomain.com. 60	IN CNAME rn.at.qv.always202808.yourdomain.com.
alias.5.nfz4.s3.m2.2.yourdomain.com. 60	IN CNAME em.mv.95.always132544.yourdomain.com.
alias.5.nfz4.s3.m2.2.yourdomain.com. 60	IN CNAME 9x.zh.eg.always987898.yourdomain.com.
alias.5.nfz4.s3.m2.2.yourdomain.com. 60	IN CNAME zx.86.82.always613148.yourdomain.com.
alias.5.nfz4.s3.m2.2.yourdomain.com. 60	IN CNAME 1w.jf.pk.always884560.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:22 +04 2025
;; MSG SIZE  rcvd: 303

Download PCAP File

We can see that the malformation occured at the beginning of the target domain name, which is the default insertion point (position).


We can change the position for the malformation using the p<POS> parameter. There are 13 insertion points (positions) available. In this case, we request to insert the malformation in the middle of the target domain name by using the p4 paramater:

# dig alias.5.nfz4.s3.m2.2.p4.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.5.nfz4.s3.m2.2.p4.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57600
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.5.nfz4.s3.m2.2.p4.yourdomain.com.	IN A

;; ANSWER SECTION:
alias.5.nfz4.s3.m2.2.p4.yourdomain.com.	60 IN CNAME always797836e5.a2.5qyourdomain.com.
alias.5.nfz4.s3.m2.2.p4.yourdomain.com.	60 IN CNAME always165747u8.h2.0xyourdomain.com.
alias.5.nfz4.s3.m2.2.p4.yourdomain.com.	60 IN CNAME always83654888.jl.mxyourdomain.com.
alias.5.nfz4.s3.m2.2.p4.yourdomain.com.	60 IN CNAME always4981675j.4i.40yourdomain.com.
alias.5.nfz4.s3.m2.2.p4.yourdomain.com.	60 IN CNAME always506886wl.vv.9jyourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:24 +04 2025
;; MSG SIZE  rcvd: 296

Download PCAP File

We can see that the malformation occured in the middle of the target domain name.


It’s important to note that this generator can be used in conjunction with other features, not limited to the alias feature.

In this example, we use the mxalias feature to request the generation of 10 MX alias records. Additionally, we specify the insertion of 5 random bytes (malformation m6.5) at the end of each domain name (position p11):

# dig mxalias.10.nfz4.m6.5.p11.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> mxalias.10.nfz4.m6.5.p11.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64058
;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mxalias.10.nfz4.m6.5.p11.yourdomain.com. IN A

;; ANSWER SECTION:
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always637611.yourdomain.como\146\189=\129.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always031761.yourdomain.com\208\188>\176b.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always995918.yourdomain.com\018W\151o\219.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always759031.yourdomain.comY\176\238\228\020.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always858743.yourdomain.comm=\024\173E.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always175948.yourdomain.com\179\207y\.\148.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always277526.yourdomain.com\192g\187J\026.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always153513.yourdomain.com\016In\027h.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always645000.yourdomain.comk\226\166\012H.
mxalias.10.nfz4.m6.5.p11.yourdomain.com. 60 IN MX 0 always941773.yourdomain.com\203\211\232\156\021.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:25 +04 2025
;; MSG SIZE  rcvd: 537

Download PCAP File


The generator allows the creation of domain names that violate DNS standards, enabling experimentation with domain and subdomain lengths.

For instance, in this example, we generate a single domain (variant nfz0) consisting of 63 random letters (malformation m2.63). As you may know, DNS standards specify that a subdomain cannot exceed 63 characters in length:

# dig alias.nfz0.m2.63.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> alias.nfz0.m2.63.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9276
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.nfz0.m2.63.yourdomain.com. IN	A

;; ANSWER SECTION:
alias.nfz0.m2.63.yourdomain.com. 60 IN	CNAME	w8oh98hfydubgkm685edjt1xd0erx0ua8q9bcwwzigjcnhzpukxpgnenwjgqsnn.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:26 +04 2025
;; MSG SIZE  rcvd: 126

Download PCAP File

We can see that this domain name does not appear to cause any immediate issues.


Now, we modify the query to generate a single domain consisting of 64 random letters (malformation m2.64). This directly violates DNS specifications, as a subdomain cannot exceed 63 characters in length:

# dig alias.nfz0.m2.64.yourdomain.com @127.0.0.1

;; Got bad packet: bad label type
127 bytes
40 a6 84 00 00 01 00 01 00 00 00 00 05 61 6c 69          @............ali
61 73 04 6e 66 7a 30 02 6d 32 02 36 34 0a 79 6f          as.nfz0.m2.64.yo
75 72 64 6f 6d 61 69 6e 03 63 6f 6d 00 00 01 00          urdomain.com....
01 c0 0c 00 05 00 01 00 00 00 3c 00 42 40 31 6a          ..........<.B@1j
73 6b 75 76 6d 32 77 35 32 69 77 6f 36 7a 37 6a          skuvm2w52iwo6z7j
33 32 35 73 65 77 72 79 62 76 74 37 67 77 6a 73          325sewrybvt7gwjs
6d 6f 7a 32 64 6e 6c 37 65 30 61 79 62 6b 6c 76          moz2dnl7e0aybklv
70 6d 6e 67 35 34 78 39 69 30 6e 79 6e 70 00             pmng54x9i0nynp.

Download PCAP File

In this case, we can see that the client (dig) is unable to parse this response because the resulting subdomain length (64 characters) exceeds the limit specified in DNS standards.

By combining various parameters, we can generate countless variations of malformations.


In this example, we generate a simple malformation by inserting a NULL byte (\000) into the target domain name at every possible position using different p<POS> parameters. This allows us to observe how the malformation manifests at various positions within the domain name:

# dig alias.nfz6.m0.p0.yourdomain.com @127.0.0.1 +short  -->  \000.alias199246.yourdomain.com.
# dig alias.nfz6.m0.p1.yourdomain.com @127.0.0.1 +short  -->  \000alias508882.yourdomain.com.
# dig alias.nfz6.m0.p2.yourdomain.com @127.0.0.1 +short  -->  alias\000661625.yourdomain.com.
# dig alias.nfz6.m0.p3.yourdomain.com @127.0.0.1 +short  -->  alias645718\000.yourdomain.com.
# dig alias.nfz6.m0.p4.yourdomain.com @127.0.0.1 +short  -->  alias287171\000yourdomain.com.
# dig alias.nfz6.m0.p5.yourdomain.com @127.0.0.1 +short  -->  alias359097.\000.yourdomain.com.
# dig alias.nfz6.m0.p6.yourdomain.com @127.0.0.1 +short  -->  alias663104.\000yourdomain.com.
# dig alias.nfz6.m0.p7.yourdomain.com @127.0.0.1 +short  -->  alias271369.yourdomain\000.com.
# dig alias.nfz6.m0.p8.yourdomain.com @127.0.0.1 +short  -->  alias230516.yourdomain\000com.
# dig alias.nfz6.m0.p9.yourdomain.com @127.0.0.1 +short  -->  alias704486.yourdomain.\000.com.
# dig alias.nfz6.m0.p10.yourdomain.com @127.0.0.1 +short  -->  alias514658.yourdomain.\000com.
# dig alias.nfz6.m0.p11.yourdomain.com @127.0.0.1 +short  -->  alias588767.yourdomain.com\000.
# dig alias.nfz6.m0.p12.yourdomain.com @127.0.0.1 +short  -->  alias515164.yourdomain.com.\000.

Download PCAP File

Each of these malformations may have a slightly different impact on the parsing functions of a given software (client, server or library) processing these domain names.


In this example, we insert a literal dot (.) symbol into the target domain name using the m9.1.46 malformation (where 46 is the ASCII decimal code for a dot). The insertion is applied at every possible position using different p<POS> parameters. This allows us to observe how the malformation appears at various positions within the domain name:

# dig alias.nfz6.m9.1.46.p0.yourdomain.com @127.0.0.1 +short  -->  \..alias143613.yourdomain.com.
# dig alias.nfz6.m9.1.46.p1.yourdomain.com @127.0.0.1 +short  -->  \.alias943137.yourdomain.com.
# dig alias.nfz6.m9.1.46.p2.yourdomain.com @127.0.0.1 +short  -->  alias\.340205.yourdomain.com.
# dig alias.nfz6.m9.1.46.p3.yourdomain.com @127.0.0.1 +short  -->  alias484224\..yourdomain.com.
# dig alias.nfz6.m9.1.46.p4.yourdomain.com @127.0.0.1 +short  -->  alias169565\.yourdomain.com.
# dig alias.nfz6.m9.1.46.p5.yourdomain.com @127.0.0.1 +short  -->  alias817510.\..yourdomain.com.
# dig alias.nfz6.m9.1.46.p6.yourdomain.com @127.0.0.1 +short  -->  alias245800.\.yourdomain.com.
# dig alias.nfz6.m9.1.46.p7.yourdomain.com @127.0.0.1 +short  -->  alias011536.yourdomain\..com.
# dig alias.nfz6.m9.1.46.p8.yourdomain.com @127.0.0.1 +short  -->  alias997207.yourdomain\.com.
# dig alias.nfz6.m9.1.46.p9.yourdomain.com @127.0.0.1 +short  -->  alias956856.yourdomain.\..com.
# dig alias.nfz6.m9.1.46.p10.yourdomain.com @127.0.0.1 +short  -->  alias058339.yourdomain.\.com.
# dig alias.nfz6.m9.1.46.p11.yourdomain.com @127.0.0.1 +short  -->  alias722072.yourdomain.com\..
# dig alias.nfz6.m9.1.46.p12.yourdomain.com @127.0.0.1 +short  -->  alias174168.yourdomain.com.\..

Download PCAP File

Each of these malformations could once again cause different problems when parsing these domain names.


In the last example, we generate a malformed domain name consisting of 127 subdomains, each composed of a single literal dot (.) symbol:

# dig alias.s127.nfz0.m9.1.46.yourdomain.com @127.0.0.1 +noidnout

; <<>> DiG 9.18.10-2-Debian <<>> alias.s127.nfz0.m9.1.46.yourdomain.com @127.0.0.1 +noidnout
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39363
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;alias.s127.nfz0.m9.1.46.yourdomain.com.	IN A

;; ANSWER SECTION:
alias.s127.nfz0.m9.1.46.yourdomain.com.	60 IN CNAME \..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Jan 29 15:12:32 +04 2025
;; MSG SIZE  rcvd: 323

Download PCAP File

This can certainly confuse some resolvers or clients.


From the same category


Go back to catalogue.