SpfAlias2 - Random SPF (TXT) Aliases (Variant 2)

SpfAlias2 - Random SPF (TXT) Aliases (Variant 2)

This module is designed to generate DNS responses with SPF (Sender Policy Framework) records that contain random aliases. The SPF protocol is used for authorizing domains during email communication.

This variant can produce multiple SPF entries contained within one or more TXT records. In this case, each SPF entry contains multiple include: parameters with randomly generated domain names (aliases). These aliases are in the format spfalias2#####.yourdomain.com where ##### represents a random number.

The idea is that if the client/resolver decides to resolve this further, it will result in the generation of yet another alias, theoretically leading to a resolution of infinite chain of random aliases. In practice, however, most modern resolvers will terminate the resolution after encountering several consecutive alias records.

BEWAREThis can potentially lead to amplification effect (DoS) or domain lock-up (DoS).

Category: Aliases

Tags: Amplification, Domain Lock-Up, Denial of Service

RFCs: RFC4408, RFC7208

Format

spfalias2.<NUMBER>.yourdomain.com

Where:

  • The <NUMBER> parameter defines how many aliases should be generated in the response. Note that the number of aliases is limited by the maximum TXT label size of 255 bytes. If the specified number of aliases cannot fit within a single TXT record, multiple TXT records will be dynamically produced to accomodate all aliases.

Examples

By default, the module returns a single SPF alias:

# dig spfalias2.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfalias2.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40902
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfalias2.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfalias2.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias221021.yourdomain.com ~all"

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 15:04:10 +04 2024
;; MSG SIZE  rcvd: 104

Download PCAP File


Same example as above, but this time we explicitly specify that we want to receive a single SPF record:

# dig spfalias2.1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfalias2.1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50568
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfalias2.1.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfalias2.1.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias26976.1.yourdomain.com ~all"

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 15:04:11 +04 2024
;; MSG SIZE  rcvd: 107

Download PCAP File


In this case, we specify that we want to receive 11 (eleven) SPF aliases. These aliases will be fitted within the necessary number of TXT records as required:

# dig spfalias2.11.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfalias2.11.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43201
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfalias2.11.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfalias2.11.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias240144.11.yourdomain.com include:spfalias265182.11.yourdomain.com include:spfalias245219.11.yourdomain.com include:spfalias247661.11.yourdomain.com include:spfalias243649.11.yourdomain.com ~all"
spfalias2.11.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias265611.11.yourdomain.com include:spfalias260064.11.yourdomain.com include:spfalias294134.11.yourdomain.com include:spfalias243027.11.yourdomain.com include:spfalias227584.11.yourdomain.com ~all"
spfalias2.11.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfalias271689.11.yourdomain.com ~all"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 15:04:13 +04 2024
;; MSG SIZE  rcvd: 568

Download PCAP File

We can see that those 11 SPF aliases fit into 3 TXT records.


Here we can see that resolving any of the generated aliases leads to more aliases, potentially causing an infinite recursion:

# dig spfalias23456.11.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfalias23456.11.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30113
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfalias23456.11.yourdomain.com. IN	A

;; ANSWER SECTION:
spfalias23456.11.yourdomain.com. 60 IN	TXT	"v=spf1 include:spfalias252660.11.yourdomain.com include:spfalias295653.11.yourdomain.com include:spfalias285139.11.yourdomain.com include:spfalias298979.11.yourdomain.com include:spfalias23210.11.yourdomain.com ~all"
spfalias23456.11.yourdomain.com. 60 IN	TXT	"v=spf1 include:spfalias219008.11.yourdomain.com include:spfalias240717.11.yourdomain.com include:spfalias284035.11.yourdomain.com include:spfalias270037.11.yourdomain.com include:spfalias242255.11.yourdomain.com ~all"
spfalias23456.11.yourdomain.com. 60 IN	TXT	"v=spf1 include:spfalias224682.11.yourdomain.com ~all"

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Oct 16 15:57:37 +04 2024
;; MSG SIZE  rcvd: 571

Download PCAP File


From the same category

See also


Go back to catalogue.