SpfChain - SPF (TXT) Alias Chains

This module implements incremental alias chains using SPF (Sender Policy Framework) records. It returns an alias record with an incremented domain name index, forming a chain that continues to increment indefinitely.

Specifically, this module generates a SPF alias record in the format spfchain###.yourdomain.com, where ### represents the incremented index.

The concept is that if the client/resolver attempts to resolve this alias further, it will generate yet another incremented alias, causing the process to continue indefinitely and potentially keeping the resolver occupied.

However, in practice, most modern resolvers detect such chains and terminate the resolution after encountering a certain number of consecutive aliases (e.g., 20 aliases) or upon reaching a specified time limit for the resolution (e.g., 30 seconds).

The SPF protocol is used to specify which mail servers are authorized to send emails on behalf of a domain, and SPF records are typically published within TXT records in DNS.

Note that this feature provides the same functionality as requesting a TXT record for the generic chain feature.

⚠BEWARE⚠This could potentially lead to a domain lock-up (DoS).

Category: Alias chains

Tags: Domain Lock-Up, Denial of Service

RFCs: RFC4408, RFC7208

Format

spfchain<NUMBER>.yourdomain.com

Where:

• The <NUMBER> parameter specifies an arbitrary number that will be incremented in the response.

Examples

By default, the module generates an SPF alias record with the index of 1:

# dig spfchain.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfchain.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57012
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfchain.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfchain.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfchain1.yourdomain.com ~all"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:24:02 +04 2024
;; MSG SIZE  rcvd: 98

Download PCAP File

If we attempt to resolve the resulting domain name (spfchain1.yourdomain.com), we receive an incremented alias record:

# dig spfchain1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfchain1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31765
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfchain1.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfchain1.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfchain2.yourdomain.com ~all"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:24:03 +04 2024
;; MSG SIZE  rcvd: 99

Download PCAP File

If we continue to resolve the next domain name (spfchain2.yourdomain.com), we again receive an incremented alias record:

# dig spfchain2.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfchain2.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49351
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfchain2.yourdomain.com.	IN	A

;; ANSWER SECTION:
spfchain2.yourdomain.com. 60	IN	TXT	"v=spf1 include:spfchain3.yourdomain.com ~all"

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:24:04 +04 2024
;; MSG SIZE  rcvd: 99

Download PCAP File

This resolution process can continue indefinitely, as there are no limits on the size of the index number. Each resolution yields another incremented alias record:

# dig spfchain9999999999999999999999999.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> spfchain9999999999999999999999999.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12290
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;spfchain9999999999999999999999999.yourdomain.com. IN A

;; ANSWER SECTION:
spfchain9999999999999999999999999.yourdomain.com. 60 IN	TXT "v=spf1 include:spfchain10000000000000000000000000.yourdomain.com ~all"

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:24:06 +04 2024
;; MSG SIZE  rcvd: 148

Download PCAP File

The domain name will never be fully resolved as the incremental process continues indefinitely.

From the same category

• Chain - Alias Chains
• CnChain - CNAME Alias Chains
• DnChain - DNAME Alias Chains
• HtChain - HTTPS Alias Chains
• MxChain - MX Alias Chains
• NsChain - NS Alias Chains
• SrChain - SRV Alias Chains
• SvChain - SVCB Alias Chains

See also

• SpfAlias1 - Random SPF (TXT) Aliases (Variant 1)
• SpfAlias2 - Random SPF (TXT) Aliases (Variant 2)
• SpfLoop - SPF (TXT) Alias Loops

Go back to catalogue.