Noq - Remove the Query Section
This modifier is designed to remove the entire Query section (question) from the DNS response body.
It's important to note that this does not change the number of Question RRs indicated in the DNS header. To modify the number of Question RRs in the DNS header, use the qurr modifier.
This modifier is compatible with and can be combined with any other existing feature or modifier.
Category: Packet manipulation
Format
*.noq.*
This module has no parameters.
Examples
All the examples below use the basic always feature which always resolves to an IP address.
In this example, we request the removal of the Query section from the DNS response body. This results in a bad compression pointer error because the DNS compression is enabled by default. The error occurs because the Name field in the Answer section contains a pointer that references itself instead of pointing to the domain name in the now-missing Query section:
# dig always.noq.yourdomain.com @127.0.0.1 ;; Got bad packet: bad compression pointer 28 bytes e4 c5 84 00 00 01 00 01 00 00 00 00 c0 0c 00 01 ................ 00 01 00 00 00 3c 00 04 02 03 04 05 .....<......
Similar to the previous example, but in this case we also disable the DNS compression (using the nc modifier). This leads to a malformed message packet warning because the number of Question RRs (1) and Answer RRs (1) indicated in the header does not match the actual number of questions (0) and answers (1) in the body, as we removed the Query section from the body. Consequently, the entire body is shifted upwards, and what was intended as the Answer is now treated as the Query, leaving no actual Answer in the body:
# dig always.noq.nc.yourdomain.com @127.0.0.1 ;; Warning: Message parser reports malformed message packet. ; <<>> DiG 9.18.10-2-Debian <<>> always.noq.nc.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37189 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 9 extra bytes at end ;; QUESTION SECTION: ;always.noq.nc.yourdomain.com. IN A ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Oct 22 09:49:38 +04 2024 ;; MSG SIZE rcvd: 56
Expanding on the previous example, here we also modify the number of Question RRs in the header to 0 (using the qurr modifier) to affirm that there truly are no questions in this DNS response. This adjustment results in a legitimate DNS response that contains only the Answer section. Although highly unusual, this combination produces a correctly formatted DNS response which is also accepted by the client (dig):
# dig always.noq.nc.qurr0.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> always.noq.nc.qurr0.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20293 ;; flags: qr aa; QUERY: 0, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; ANSWER SECTION: always.noq.nc.qurr0.yourdomain.com. 60 IN A 2.3.4.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Oct 22 09:49:39 +04 2024 ;; MSG SIZE rcvd: 62
From the same category
- Add - Add N Bytes to the End of the Packet
- Cnk - Send Response in Chunks (TCP only)
- Cut - Cut N Bytes from the End of the Packet
- Fc - Force Compression
- Len - Set Custom Length in TCP
- Nc - No Compression
- Rl - Recalculate Length in TCP
- Slp - Add a Delay (Latency)
- Tc - Set Truncated Flag (Force TCP Mode)
- Ttl - Set Custom TTL Value
See also
- NewId - Set Random Transaction ID
- Flgs - Set Custom Flags in the Header
- Qurr - Set Question RRs in the Header
- Anrr - Set Answer RRs in the Header
- Aurr - Set Authority RRs in the Header
- Adrr - Set Additional RRs in the Header