SrLoop - SRV Alias Loops
This module implements alias loops using SRV (Service Locator) records. The loops can be a direct loop, where the alias points back to the same domain name as in the original query, or they can include multiple elements, cycling through a specified number of domains.
The idea is that if the client/resolver decides to resolve this further, it will enter an infinite loop. In practice, however, most modern resolvers detect such loops and terminate the resolution.
Note that SRV records include fields for Priority, Weight, and Port number. In this module, both the Priority and Weight are set to 0, while the Port number is randomly generated.
Additionally, the module supports DNS queries for locating different services using the underscore (_) prefix notation, also known as Attrleaf naming pattern, service labels, or underscore labels (RFC8552, RFC8553).
Note that this feature provides the same functionality as requesting a SRV record for the generic loop feature.
Category: Alias loops
Tags: Domain Lock-Up, Denial of Service
RFCs: RFC2782, RFC8552, RFC8553
Format
srloop.<NUMBER>.yourdomain.com
Where:
- The
<NUMBER>parameter specifies the number of elements the loop should contain.
Examples
In this example, we can see a direct loop formed by requesting an SRV record containing the exact same domain name:
# dig srloop.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> srloop.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21547 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;srloop.yourdomain.com. IN A ;; ANSWER SECTION: srloop.yourdomain.com. 60 IN SRV 0 0 20298 srloop.yourdomain.com. ;; Query time: 7 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Nov 05 15:43:39 +04 2024 ;; MSG SIZE rcvd: 80
In this example, we request a SRV alias loop consisting of 5 elements:
# dig srloop.5.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> srloop.5.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2719 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;srloop.5.yourdomain.com. IN A ;; ANSWER SECTION: srloop.5.yourdomain.com. 60 IN SRV 0 0 4209 srloop.5.1.yourdomain.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Nov 05 15:43:40 +04 2024 ;; MSG SIZE rcvd: 86
The resulting domain name srloop.5.1.yourdomain.com represents the 1st element of the loop.
By resolving the 1st element, we are pointed to the 2nd element of the loop:
# dig srloop.5.1.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> srloop.5.1.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2700 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;srloop.5.1.yourdomain.com. IN A ;; ANSWER SECTION: srloop.5.1.yourdomain.com. 60 IN SRV 0 0 40516 srloop.5.2.yourdomain.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Nov 05 15:43:41 +04 2024 ;; MSG SIZE rcvd: 88
This continues up to the 5th and final element — srloop.5.5.yourdomain.com.
By resolving the final element of the loop, we are directed back to the 1st element again:
# dig srloop.5.5.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> srloop.5.5.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49154 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;srloop.5.5.yourdomain.com. IN A ;; ANSWER SECTION: srloop.5.5.yourdomain.com. 60 IN SRV 0 0 27585 srloop.5.1.yourdomain.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Nov 05 15:43:42 +04 2024 ;; MSG SIZE rcvd: 88
We can see that we are indeed pointed back to the 1st element again, effectively forming a loop.
As mentioned in the description, this module also supports DNS queries for locating different services using the underscore (_) prefix notation. This example demonstrates such usage, where we search for an HTTP service specifically designed for mobile devices and running over TCP. In this case, we request a loop of 10 elements:
# dig _mobile._http._tcp.srloop.10.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> _mobile._http._tcp.srloop.10.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7676 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_mobile._http._tcp.srloop.10.yourdomain.com. IN A ;; ANSWER SECTION: _mobile._http._tcp.srloop.10.yourdomain.com. 60 IN SRV 0 0 17568 _mobile._http._tcp.srloop.10.1.yourdomain.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Tue Nov 05 15:26:27 +04 2024 ;; MSG SIZE rcvd: 126
The resulting domain name _mobile._http._tcp.srloop.10.1.yourdomain.com represents the 1st element of the loop.
From the same category
- CnLoop - CNAME Alias Loops
- DnLoop - DNAME Alias Loops
- HtLoop - HTTPS Alias Loops
- Loop - Alias Loops
- MxLoop - MX Alias Loops
- NptEnumLoop - NAPTR ENUM Alias Loops
- NsLoop - NS Alias Loops
- PtrLoop1 - PTR Alias Loops (Variant 1)
- PtrLoop2 - PTR Alias Loops (Variant 2)
- SpfLoop - SPF (TXT) Alias Loops
- SvLoop - SVCB Alias Loops