SpfAlias1 - Random SPF (TXT) Aliases (Variant 1)

SpfAlias1 - Random SPF (TXT) Aliases (Variant 1)

This module is designed to generate DNS responses with SPF (Sender Policy Framework) records that contain random aliases. The SPF protocol is used for authorizing domains during email communication.

This variant can produce multiple SPF entries, each contained within a single TXT record. In this case, each SPF entry contains a single include: parameter with a randomly generated domain name (alias). This alias is in the format spfalias1#####.yourdomain.com where ##### represents a random number.

The idea is that if the client/resolver decides to resolve this further, it will result in the generation of yet another alias, theoretically leading to a resolution of infinite chain of random aliases. In practice, however, most modern resolvers will terminate the resolution after encountering several consecutive alias records.

Note that this feature provides the same functionality as requesting the TXT record for the generic alias feature. Responding with multiple records (aliases) in a single response is also supported.

BEWAREThis can potentially lead to amplification effect (DoS) or domain lock-up (DoS).

Category: Aliases

Tags: Amplification, Domain Lock-Up, Denial of Service

RFCs: RFC4408, RFC7208

Format

spfalias1.<NUMBER>.yourdomain.com

Where:

  • The <NUMBER> parameter defines how many aliases should be generated in the response.

Examples

By default, the module returns a single SPF (TXT) alias:

# dig spfalias1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfalias1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46732
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfalias1.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfalias1.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias16089.yourdomain.com ~all"

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 15:04:15 +04 2024
;; MSG SIZE  rcvd: 103

Download PCAP File


Same example as above, but this time we explicitly specify that we want to receive a single SPF (TXT) record:

# dig spfalias1.1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfalias1.1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18172
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfalias1.1.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfalias1.1.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias14333.1.yourdomain.com ~all"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 15:04:16 +04 2024
;; MSG SIZE  rcvd: 107

Download PCAP File


In this case, we specify that we want to receive five SPF (TXT) aliases:

# dig spfalias1.5.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfalias1.5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11456
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfalias1.5.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfalias1.5.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias150609.5.yourdomain.com ~all"
spfalias1.5.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias112276.5.yourdomain.com ~all"
spfalias1.5.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias195314.5.yourdomain.com ~all"
spfalias1.5.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias18721.5.yourdomain.com ~all"
spfalias1.5.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias135910.5.yourdomain.com ~all"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 15:04:17 +04 2024
;; MSG SIZE  rcvd: 363

Download PCAP File


Here we can see that resolving any of the generated aliases leads to more aliases, potentially causing an infinite recursion:

# dig spfalias12345.5.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfalias12345.5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2817
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfalias12345.5.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfalias12345.5.yourdomain.com.	60 IN	TXT	"v=spf1 include:spfalias129776.5.yourdomain.com ~all"
spfalias12345.5.yourdomain.com.	60 IN	TXT	"v=spf1 include:spfalias164194.5.yourdomain.com ~all"
spfalias12345.5.yourdomain.com.	60 IN	TXT	"v=spf1 include:spfalias167509.5.yourdomain.com ~all"
spfalias12345.5.yourdomain.com.	60 IN	TXT	"v=spf1 include:spfalias140009.5.yourdomain.com ~all"
spfalias12345.5.yourdomain.com.	60 IN	TXT	"v=spf1 include:spfalias137564.5.yourdomain.com ~all"

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 15:17:58 +04 2024
;; MSG SIZE  rcvd: 368

Download PCAP File


From the same category

See also


Go back to catalogue.