Qurr - Set Question RRs in the Header
This modifier allows to modify the number of Questions (RRs) in the DNS response header.
It's important to note that this does not change the actual Query section in the DNS response body in any way. To remove the Query section from the body, use the noq modifier.
This modifier is compatible with and can be combined with any other existing feature or modifier.
Category: Header manipulation
Format
*.qurr<NUMBER>.*
Where:
- The
<NUMBER>parameter specifies the number of Questions in the DNS response header. Note that the maximum number of Questions that can be set is 65535, as it is a 2-byte field.
Examples
All the examples below use the basic always feature which always resolves to an IP address.
In this example, we set the number of Questions (RRs) in the DNS header to 0, which indicates that there is no query in this DNS response. This arrangement leads to a warning about a malformed packet because the actual Query is still present in the body and is now being interpreted as the answer, which cannot be properly parsed. Moreover, there are now extra bytes at the end of the packet. These represent the actual answer, which is now completely ignored:
# dig always.qurr0.yourdomain.com @127.0.0.1 ;; Warning: Message parser reports malformed message packet. ; <<>> DiG 9.18.10-2-Debian <<>> always.qurr0.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36284 ;; flags: qr aa; QUERY: 0, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 10 extra bytes at end ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Oct 22 11:21:00 +04 2024 ;; MSG SIZE rcvd: 61
Similar to the previous example, but in this case, we set the number of Questions (RRs) in the DNS header to 1. This adjustment actually accurately reflects the actual content of the DNS response body, resulting in a completely valid and correct answer:
# dig always.qurr1.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> always.qurr1.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12138 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;always.qurr1.yourdomain.com. IN A ;; ANSWER SECTION: always.qurr1.yourdomain.com. 60 IN A 2.3.4.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Oct 22 11:24:12 +04 2024 ;; MSG SIZE rcvd: 61
Similar to the previous examples, but in this case, we set the number of Questions (RRs) in the DNS header to 2, which indicates that there are two queries in this DNS response. This arrangement leads to a warning about a malformed packet because now the actual Answer in the body is interpreted as the second query. Moreover, the extra bytes at the end of the packet represent only the remaining fragment of the actual answer, which cannot be parsed into anything meaningful. Therefore, no real answer appears in this response:
# dig always.qurr2.yourdomain.com @127.0.0.1 ;; Warning: Message parser reports malformed message packet. ; <<>> DiG 9.18.10-2-Debian <<>> always.qurr2.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50976 ;; flags: qr aa; QUERY: 2, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 9 extra bytes at end ;; QUESTION SECTION: ;always.qurr2.yourdomain.com. IN A ;always.qurr2.yourdomain.com. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Oct 22 11:24:14 +04 2024 ;; MSG SIZE rcvd: 61
Similar to the previous examples, but in this case, we set the number of questions in the DNS header to 3, which indicates that there are three queries in this DNS response. This arrangement leads to communication errors and warnings about malformed packet because the packet cannot be parsed correctly in this manner. The actual Answer in the body is now interpreted as the second and third query, leading to critical parsing errors:
# dig always.qurr3.yourdomain.com @127.0.0.1 ;; Warning: Message parser reports malformed message packet. ;; ;; Question section mismatch: got ./TYPE0/CLASS15360 ;; communications error to 127.0.0.1#53: timed out ;; Warning: Message parser reports malformed message packet. ;; ;; Question section mismatch: got ./TYPE0/CLASS15360 ;; communications error to 127.0.0.1#53: timed out ;; Warning: Message parser reports malformed message packet. ;; ;; Question section mismatch: got ./TYPE0/CLASS15360 ;; communications error to 127.0.0.1#53: timed out ; <<>> DiG 9.18.10-2-Debian <<>> always.qurr3.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; no servers could be reached
From the same category
- Adrr - Set Additional RRs in the Header
- Anrr - Set Answer RRs in the Header
- Aurr - Set Authority RRs in the Header
- Flgs - Set Custom Flags in the Header
- NewId - Set Random Transaction ID
See also
- Tc - Set Truncated Flag (Force TCP Mode)
- Noq - Remove the Query Section
- Slp - Add a Delay (Latency)
- Ttl - Set Custom TTL Value
- Len - Set Custom Length in TCP
- Cnk - Send Response in Chunks (TCP only)
- Cut - Cut N Bytes from the End of the Packet
- Add - Add N Bytes to the End of the Packet
- Rl - Recalculate Length in TCP
- Fc - Force Compression
- Nc - No Compression