NptEnumAlias - Random NAPTR ENUM Aliases

This module implements random aliases using NAPTR (Naming Authority Pointer) ENUM records, which are used to map identifiers like telephone numbers to a variety of service URIs, including SIP addresses, voicemail systems, and web or email addresses.

This module is specifically designed to handle DNS queries that translate telephone numbers into SIP service URIs using the E.164 format. In this format, a phone number such as 1234567890 is transformed into the reversed sequence 0.9.8.7.6.5.4.3.2.1.e164.arpa. This domain is then queried in DNS to identify the corresponding designated SIP service address.

When this module receives a NAPTR DNS query for translating a telephone number ending with the digit 1, it will generate a response with a SIP service URI. This URI will point to another (random) phone number, also formatted in the E.164 standard and ending with the digit 1.

The idea is that if the resolver/client decides to resolve this E.164 address, it will result in the generation of yet another alias, potentially creating an infinite chain of random aliases. Although NAPTR ENUM records do not function as direct aliases like CNAME records, this setup could theoretically produce similar effect by compelling the client to perform consecutive queries to resolve it.

Additionally, this module can respond with multiple NAPTR records. The number of records generated is determined by the second digit of the phone number address. For example, a query for the phone number such as 1234567891 (converted to 1.9.8.7.6.5.4.3.2.1.e164.arpa in the E.164 format) will generate nine PTR records.

⚠BEWARE⚠This can potentially lead to amplification effect (DoS) or domain lock-up (DoS).

Category: Aliases

Tags: Amplification, Domain Lock-Up, Denial of Service

RFCs: RFC2915, RFC3761

Format

1.<NUMBER>.*.e164.arpa

Where:

• The <NUMBER> parameter defines how many aliases should be generated in the response.

Examples

In this example, when we look up the telephone number 3211, we receive a response containing a SIP URI. This URI includes a randomly generated phone number, formatted as an E.164 address. If this address is subsequently looked up, it will lead to the generation of another random E.164 address:

# dig NAPTR 1.1.2.3.e164.arpa @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> NAPTR 1.1.2.3.e164.arpa @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8001
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;1.1.2.3.e164.arpa.		IN	NAPTR

;; ANSWER SECTION:
1.1.2.3.e164.arpa.	60	IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.1.8.4.6.2.3.8.0.1.5.e164.arpa!" .

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Oct 18 00:10:32 +04 2024
;; MSG SIZE  rcvd: 101

Download PCAP File

In this example, when we look up the telephone number 1234567891, we receive a response containing nine SIP URIs. Each URI includes a randomly generated phone number, formatted as an E.164 address:

# dig NAPTR 1.9.8.7.6.5.4.3.2.1.e164.arpa @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> NAPTR 1.9.8.7.6.5.4.3.2.1.e164.arpa @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2704
;; flags: qr aa; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;1.9.8.7.6.5.4.3.2.1.e164.arpa.	IN	NAPTR

;; ANSWER SECTION:
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.8.1.4.6.1.8.1.8.4.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.8.3.0.0.4.4.3.9.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.3.4.0.6.9.5.5.0.0.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.7.7.4.9.0.3.3.4.1.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.6.6.2.6.7.4.5.4.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.8.9.4.6.7.1.0.2.6.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.1.0.7.0.2.3.2.2.6.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.5.6.8.3.1.3.4.0.4.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.4.4.0.6.5.9.7.7.7.e164.arpa!" .

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Oct 18 00:10:33 +04 2024
;; MSG SIZE  rcvd: 637

Download PCAP File

In this example, we use the A record type to look up the telephone number 1234567891. We receive the same response as in the previous example. This demonstrates that it is not necessary to explicitly request NAPTR record types to use this module:

# dig 1.9.8.7.6.5.4.3.2.1.e164.arpa @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> 1.9.8.7.6.5.4.3.2.1.e164.arpa @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30794
;; flags: qr aa; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;1.9.8.7.6.5.4.3.2.1.e164.arpa.	IN	A

;; ANSWER SECTION:
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.7.3.5.2.9.6.4.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.4.8.9.3.9.2.3.0.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.3.8.3.2.5.8.3.2.6.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.6.9.6.8.3.2.3.3.4.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.1.5.5.8.8.4.5.4.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.1.7.1.8.7.4.9.3.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.3.7.4.0.9.5.2.1.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.6.1.3.1.0.9.0.9.6.e164.arpa!" .
1.9.8.7.6.5.4.3.2.1.e164.arpa. 60 IN	NAPTR	0 0 "U" "E2U+sip" "!^.*$!1.9.8.8.4.0.5.6.5.6.1.e164.arpa!" .

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Oct 18 00:16:12 +04 2024
;; MSG SIZE  rcvd: 629

Download PCAP File

From the same category

• Alias - Random Aliases
• CnAlias - Random CNAME Aliases
• DnAlias - Random DNAME Aliases
• HtAlias - Random HTTPS Aliases
• MxAlias - Random MX Aliases
• NsAlias - Random NS Aliases
• PtrAlias - Random PTR Aliases
• SpfAlias1 - Random SPF (TXT) Aliases (Variant 1)
• SpfAlias2 - Random SPF (TXT) Aliases (Variant 2)
• SrAlias - Random SRV Aliases
• SvAlias - Random SVCB Aliases

See also

• NptEnumLoop - NAPTR ENUM Alias Loops

Go back to catalogue.