SrChain - SRV Alias Chains

SrChain - SRV Alias Chains

This module implements incremental alias chains using SRV (Service Locator) records. It returns an alias record with an incremented domain name index, forming a chain that continues to increment indefinitely.

Specifically, this module generates an SRV alias record in the format srchain###.yourdomain.com, where ### represents the incremented index.

The concept is that if the client/resolver attempts to resolve this alias further, it will generate yet another incremented alias, causing the process to continue indefinitely and potentially keeping the resolver occupied.

However, in practice, most modern resolvers detect such chains and terminate the resolution after encountering a certain number of consecutive aliases (e.g., 20 aliases) or upon reaching a specified time limit for the resolution (e.g., 30 seconds).

Note that SRV records include fields for Priority, Weight, and Port number. In this module, both the Priority and Weight are set to 0, while the Port number is randomly generated for each record.

Additionally, the module supports DNS queries for locating different services using the underscore (_) prefix notation, also known as Attrleaf naming pattern, service labels, or underscore labels (RFC8552, RFC8553).

Note that this feature provides the same functionality as requesting an SRV record for the generic chain feature.

BEWAREThis could potentially lead to a domain lock-up (DoS).

Category: Alias chains

Tags: Domain Lock-Up, Denial of Service

RFCs: RFC2782, RFC8552, RFC8553

Format

srchain<NUMBER>.yourdomain.com

Where:

  • The <NUMBER> parameter specifies an arbitrary number that will be incremented in the response.

Examples

By default, the module generates an SRV alias record with the index of 1:

# dig srchain.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> srchain.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41969
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;srchain.yourdomain.com.		IN	A

;; ANSWER SECTION:
srchain.yourdomain.com.	60	IN	SRV	0 0 61211 srchain1.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:40 +04 2024
;; MSG SIZE  rcvd: 83

Download PCAP File


If we attempt to resolve the resulting domain name (srchain1.yourdomain.com), we receive an incremented alias record:

# dig srchain1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> srchain1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54807
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;srchain1.yourdomain.com.	IN	A

;; ANSWER SECTION:
srchain1.yourdomain.com. 60	IN	SRV	0 0 55591 srchain2.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:41 +04 2024
;; MSG SIZE  rcvd: 84

Download PCAP File


If we continue to resolve the next domain name (srchain2.yourdomain.com), we again receive an incremented alias record:

# dig srchain2.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> srchain2.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39344
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;srchain2.yourdomain.com.	IN	A

;; ANSWER SECTION:
srchain2.yourdomain.com. 60	IN	SRV	0 0 10374 srchain3.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:42 +04 2024
;; MSG SIZE  rcvd: 84

Download PCAP File


This resolution process can continue indefinitely, as there are no limits on the size of the index number. Each resolution yields another incremented alias record:

# dig srchain9999999999999999999999999.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> srchain9999999999999999999999999.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61810
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;srchain9999999999999999999999999.yourdomain.com. IN A

;; ANSWER SECTION:
srchain9999999999999999999999999.yourdomain.com. 60 IN SRV 0 0 8733 srchain10000000000000000000000000.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:43 +04 2024
;; MSG SIZE  rcvd: 133

Download PCAP File

The domain name will never be fully resolved as the incremental process continues indefinitely.


As mentioned in the description, this module also supports DNS queries for locating different services using the underscore (_) prefix notation. This example demonstrates such usage, where we search for an HTTP service running over TCP specifically designed for mobile devices:

# dig _mobile._http._tcp.srchain100.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> _mobile._http._tcp.srchain100.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32808
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_mobile._http._tcp.srchain100.yourdomain.com. IN A

;; ANSWER SECTION:
_mobile._http._tcp.srchain100.yourdomain.com. 60 IN SRV	0 0 43725 _mobile._http._tcp.srchain101.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 08 23:23:45 +04 2024
;; MSG SIZE  rcvd: 126

Download PCAP File

We can see that we received an incremented SRV alias record.


From the same category

See also


Go back to catalogue.