Noq - Remove the Query Section

Noq - Remove the Query Section

This modifier is designed to remove the entire Query section (question) from the DNS response body.

It's important to note that this does not change the number of Question RRs indicated in the DNS header. To modify the number of Question RRs in the DNS header, use the qurr modifier.

This modifier is compatible with and can be combined with any other existing feature or modifier.

Category: Packet manipulation

Format

*.noq.*

This module has no parameters.

Examples

All the examples below use the basic always feature which always resolves to an IP address.

In this example, we request the removal of the Query section from the DNS response body. This results in a bad compression pointer error because the DNS compression is enabled by default. The error occurs because the Name field in the Answer section contains a pointer that references itself instead of pointing to the domain name in the now-missing Query section:

# dig always.noq.yourdomain.com @127.0.0.1

;; Got bad packet: bad compression pointer
28 bytes
e4 c5 84 00 00 01 00 01 00 00 00 00 c0 0c 00 01          ................
00 01 00 00 00 3c 00 04 02 03 04 05                      .....<......

Download PCAP File


Similar to the previous example, but in this case we also disable the DNS compression (using the nc modifier). This leads to a malformed message packet warning because the number of Question RRs (1) and Answer RRs (1) indicated in the header does not match the actual number of questions (0) and answers (1) in the body, as we removed the Query section from the body. Consequently, the entire body is shifted upwards, and what was intended as the Answer is now treated as the Query, leaving no actual Answer in the body:

# dig always.noq.nc.yourdomain.com @127.0.0.1

;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.18.10-2-Debian <<>> always.noq.nc.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37189
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 9 extra bytes at end

;; QUESTION SECTION:
;always.noq.nc.yourdomain.com.	IN	A

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Oct 22 09:49:38 +04 2024
;; MSG SIZE  rcvd: 56

Download PCAP File


Expanding on the previous example, here we also modify the number of Question RRs in the header to 0 (using the qurr modifier) to affirm that there truly are no questions in this DNS response. This adjustment results in a legitimate DNS response that contains only the Answer section. Although highly unusual, this combination produces a correctly formatted DNS response which is also accepted by the client (dig):

# dig always.noq.nc.qurr0.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> always.noq.nc.qurr0.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20293
;; flags: qr aa; QUERY: 0, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:
always.noq.nc.qurr0.yourdomain.com. 60 IN A	2.3.4.5

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Tue Oct 22 09:49:39 +04 2024
;; MSG SIZE  rcvd: 62

Download PCAP File


From the same category

See also


Go back to catalogue.