Rl - Recalculate Length in TCP
In TCP mode, this modifier recalculates the DNS packet length if it was adjusted using the cut or add modifiers.
It is important to note that this functionality is specific to TCP mode only, because only in TCP the DNS packets contain a length field at the beginning. DNS packets sent over UDP do not have length defined at the beginning.
This modifier is compatible with and can be combined with any other existing feature or modifier, as long as the communication is happening over TCP.
Category: Packet manipulation
Format
*.rl.*
This module has no parameters.
Examples
The following examples illustrate why recalculating the DNS packet length is essential in TCP mode.
In this example, we use the basic always feature, which always resolves to an IP address. Additionally, we operate in TCP mode and append 10 random bytes to the end of the packet without recalculating the length. As a result, the parser completely ignores the appended data, since the length was not recalculated:
# dig always.add10.yourdomain.com @127.0.0.1 +tcp ; <<>> DiG 9.18.10-2-Debian <<>> always.add10.yourdomain.com @127.0.0.1 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27779 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;always.add10.yourdomain.com. IN A ;; ANSWER SECTION: always.add10.yourdomain.com. 60 IN A 2.3.4.5 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP) ;; WHEN: Thu Oct 24 11:05:35 +04 2024 ;; MSG SIZE rcvd: 61
After adding the rl modifier to recalculate the length, the parser can now see the entire packet and consequently displays a warning about 10 extra bytes at the end:
# dig always.add10.rl.yourdomain.com @127.0.0.1 +tcp
; <<>> DiG 9.18.10-2-Debian <<>> always.add10.rl.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44231
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 10 extra bytes at end
;; QUESTION SECTION:
;always.add10.rl.yourdomain.com. IN A
;; ANSWER SECTION:
always.add10.rl.yourdomain.com. 60 IN A 2.3.4.5
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Oct 24 11:05:36 +04 2024
;; MSG SIZE rcvd: 74
In the next example, we use the size feature, which returns multiple answers up to a specified size limit. In this case, we set the packet size limit to 200 bytes. As a result, 9 answers can fit within the response:
# dig size.200.yourdomain.com @127.0.0.1 +tcp ; <<>> DiG 9.18.10-2-Debian <<>> size.200.yourdomain.com @127.0.0.1 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23401 ;; flags: qr aa; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;size.200.yourdomain.com. IN A ;; ANSWER SECTION: size.200.yourdomain.com. 60 IN A 127.0.0.209 size.200.yourdomain.com. 60 IN A 127.0.0.26 size.200.yourdomain.com. 60 IN A 127.0.0.149 size.200.yourdomain.com. 60 IN A 127.0.0.73 size.200.yourdomain.com. 60 IN A 127.0.0.99 size.200.yourdomain.com. 60 IN A 127.0.0.49 size.200.yourdomain.com. 60 IN A 127.0.0.93 size.200.yourdomain.com. 60 IN A 127.0.0.217 size.200.yourdomain.com. 60 IN A 127.0.0.123 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP) ;; WHEN: Thu Oct 24 11:05:38 +04 2024 ;; MSG SIZE rcvd: 185
Now, we request 64 bytes to be removed from the response by using the cut modifier. This effectively removes the last 4 answers from the response body (each A record is exactly 16 bytes, so 64 / 16 = 4). Since the length was not recalculated, the parser assumes an error occured during transmission, as the packet is shorter than what is specified in the header:
# dig size.200.cut64.yourdomain.com @127.0.0.1 +tcp ;; communications error to 127.0.0.1#53: end of file ;; communications error to 127.0.0.1#53: end of file ;; communications error to 127.0.0.1#53: end of file ; <<>> DiG 9.18.10-2-Debian <<>> size.200.cut64.yourdomain.com @127.0.0.1 +tcp ;; global options: +cmd ;; no servers could be reached
By adding the rl modifier to recalculate the length, the parser is now able to see the entire packet correctly. It identifies that the response is malformed. We can see only 5 answers in the response body instead of 9 because 4 of them were removed using the cut modifier:
# dig size.200.cut64.rl.yourdomain.com @127.0.0.1 +tcp
;; Warning: Message parser reports malformed message packet.
; <<>> DiG 9.18.10-2-Debian <<>> size.200.cut64.rl.yourdomain.com @127.0.0.1 +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35973
;; flags: qr aa; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;size.200.cut64.rl.yourdomain.com. IN A
;; ANSWER SECTION:
size.200.cut64.rl.yourdomain.com. 60 IN A 127.0.0.172
size.200.cut64.rl.yourdomain.com. 60 IN A 127.0.0.32
size.200.cut64.rl.yourdomain.com. 60 IN A 127.0.0.109
size.200.cut64.rl.yourdomain.com. 60 IN A 127.0.0.73
size.200.cut64.rl.yourdomain.com. 60 IN A 127.0.0.145
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (TCP)
;; WHEN: Thu Oct 24 11:05:40 +04 2024
;; MSG SIZE rcvd: 130
From the same category
- Add - Add N Bytes to the End of the Packet
- Cnk - Send Response in Chunks (TCP only)
- Cut - Cut N Bytes from the End of the Packet
- Fc - Force Compression
- Len - Set Custom Length in TCP
- Nc - No Compression
- Noq - Remove the Query Section
- Slp - Add a Delay (Latency)
- Tc - Set Truncated Flag (Force TCP Mode)
- Ttl - Set Custom TTL Value
See also
- NewId - Set Random Transaction ID
- Flgs - Set Custom Flags in the Header
- Qurr - Set Question RRs in the Header
- Anrr - Set Answer RRs in the Header
- Aurr - Set Authority RRs in the Header
- Adrr - Set Additional RRs in the Header