PtrAlias - Random PTR Aliases

PtrAlias - Random PTR Aliases

This module is designed to return one or more random aliases using reverse DNS lookups (PTR records), which map IP addresses back to domain names.

It specifically handles reverse DNS queries for any IP address within the private 10.0.0.0/8 network range, which is reserved for internal use only.

When this module receives a reverse DNS lookup query for an IP address such as 10.x.y.z (this means searching for the PTR record for z.y.x.10.in-addr.arpa domain), it responds with a PTR record that contains a randomly generated in-addr.arpa domain from within the same 10.0.0.0/8 range.

The idea is that if the client/resolver decides to resolve this further, it will result in the generation of yet another alias, theoretically leading to a resolution of infinite chain of random aliases.

Additionally, this module can respond with multiple PTR records. The number of records generated is determined by the second octet of the IP address. For example, a query for the IP address 10.5.0.0 will generate five PTR records.

BEWAREThis can potentially lead to amplification effect (DoS) or domain lock-up (DoS).

Category: Aliases

Tags: Amplification, Domain Lock-Up, Denial of Service

RFCs: RFC1035

Format

*.*.<NUMBER>.10.in-addr.arpa

or

10.<NUMBER>.*.*

Where:

  • The <NUMBER> parameter defines how many aliases should be generated in the response.

Examples

The most basic example to generate a single PTR alias record:

# dig -x 10.1.0.0 @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> -x 10.1.0.0 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42782
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;0.0.1.10.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
0.0.1.10.in-addr.arpa.	60	IN	PTR	181.93.1.10.in-addr.arpa.

;; Query time: 15 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 17 14:47:42 +04 2024
;; MSG SIZE  rcvd: 77

Download PCAP File


Same as above, written in ARPA domain format:

# dig PTR 0.0.1.10.in-addr.arpa @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> PTR 0.0.1.10.in-addr.arpa @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43213
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;0.0.1.10.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
0.0.1.10.in-addr.arpa.	60	IN	PTR	53.20.1.10.in-addr.arpa.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 17 14:47:44 +04 2024
;; MSG SIZE  rcvd: 76

Download PCAP File


Here we request to generate ten PTR alias records:

# dig -x 10.10.123.123 @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> -x 10.10.123.123 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33535
;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;123.123.10.10.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
123.123.10.10.in-addr.arpa. 60	IN	PTR	198.196.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	183.114.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	214.112.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	164.29.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	15.98.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	184.62.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	36.205.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	97.158.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	74.204.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	170.165.10.10.in-addr.arpa.

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 17 14:47:46 +04 2024
;; MSG SIZE  rcvd: 437

Download PCAP File


Same as above, written in ARPA domain format:

# dig PTR 123.123.10.10.in-addr.arpa @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> PTR 123.123.10.10.in-addr.arpa @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43848
;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;123.123.10.10.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
123.123.10.10.in-addr.arpa. 60	IN	PTR	67.222.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	222.55.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	93.102.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	49.231.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	75.70.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	31.110.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	175.15.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	16.12.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	173.9.10.10.in-addr.arpa.
123.123.10.10.in-addr.arpa. 60	IN	PTR	4.198.10.10.in-addr.arpa.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 17 14:47:48 +04 2024
;; MSG SIZE  rcvd: 430

Download PCAP File


In this example, we request a thousand PTR alias records. While this is extremely unusual and bizzare, it still works:

# dig -x 10.1000.0.0 @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> -x 10.1000.0.0 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23802
;; flags: qr aa; QUERY: 1, ANSWER: 1000, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;0.0.1000.10.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
0.0.1000.10.in-addr.arpa. 60	IN	PTR	209.48.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	53.235.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	230.211.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	171.184.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	235.160.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	241.67.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	202.152.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	129.233.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	171.66.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	133.73.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	29.94.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	1.126.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	145.115.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	68.216.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	173.198.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	54.125.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	173.15.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	109.200.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	58.129.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	222.240.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	223.245.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	101.106.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	237.220.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	132.197.1000.10.in-addr.arpa.
... cut ...
0.0.1000.10.in-addr.arpa. 60	IN	PTR	218.14.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	17.233.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	58.192.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	245.146.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	139.140.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	146.48.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	136.27.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	235.182.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	87.126.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	114.104.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	42.27.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	250.12.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	16.71.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	90.69.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	100.202.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	155.247.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	10.187.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	140.74.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	202.5.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	183.239.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	35.12.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	63.55.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	85.147.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	172.119.1000.10.in-addr.arpa.
0.0.1000.10.in-addr.arpa. 60	IN	PTR	249.86.1000.10.in-addr.arpa.

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Oct 17 14:48:36 +04 2024
;; MSG SIZE  rcvd: 41172

Download PCAP File


From the same category

See also


Go back to catalogue.