SvChain - SVCB Alias Chains
This module implements incremental alias chains using SVCB (Service Binding) records. It returns an alias record with an incremented domain name index, forming a chain that continues to increment indefinitely.
Specifically, this module generates an SVCB alias record in the format svchain###.yourdomain.com
, where ###
represents the incremented index.
The concept is that if the client/resolver attempts to resolve this alias further, it will generate yet another incremented alias, causing the process to continue indefinitely and potentially keeping the resolver occupied.
However, in practice, most modern resolvers detect such chains and terminate the resolution after encountering a certain number of consecutive aliases (e.g., 20 aliases) or upon reaching a specified time limit for the resolution (e.g., 30 seconds).
Note that SVCB records include a priority field called SvcPriority. In this module, SvcPriority is set to 0 for every record.
Additionally, the module supports DNS queries for locating different services using the underscore (_) prefix notation, also known as Attrleaf naming pattern, service labels, or underscore labels (RFC8552, RFC8553).
Note that this feature provides the same functionality as requesting an SVCB record for the generic chain feature.
Category: Alias chains
Tags: Domain Lock-Up, Denial of Service
RFCs: RFC9460, RFC8552, RFC8553
Format
svchain<NUMBER>.yourdomain.com
Where:
- The
<NUMBER>
parameter specifies an arbitrary number that will be incremented in the response.
Examples
By default, the module generates an SVCB alias record with the index of 1:
# dig svchain.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> svchain.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25410 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;svchain.yourdomain.com. IN A ;; ANSWER SECTION: svchain.yourdomain.com. 60 IN SVCB 0 svchain1.yourdomain.com. ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Nov 08 23:24:07 +04 2024 ;; MSG SIZE rcvd: 79
If we attempt to resolve the resulting domain name (svchain1.yourdomain.com
), we receive an incremented alias record:
# dig svchain1.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> svchain1.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18104 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;svchain1.yourdomain.com. IN A ;; ANSWER SECTION: svchain1.yourdomain.com. 60 IN SVCB 0 svchain2.yourdomain.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Nov 08 23:24:08 +04 2024 ;; MSG SIZE rcvd: 80
If we continue to resolve the next domain name (svchain2.yourdomain.com
), we again receive an incremented alias record:
# dig svchain2.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> svchain2.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12427 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;svchain2.yourdomain.com. IN A ;; ANSWER SECTION: svchain2.yourdomain.com. 60 IN SVCB 0 svchain3.yourdomain.com. ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Nov 08 23:24:10 +04 2024 ;; MSG SIZE rcvd: 80
This resolution process can continue indefinitely, as there are no limits on the size of the index number. Each resolution yields another incremented alias record:
# dig svchain9999999999999999999999999.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> svchain9999999999999999999999999.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36324 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;svchain9999999999999999999999999.yourdomain.com. IN A ;; ANSWER SECTION: svchain9999999999999999999999999.yourdomain.com. 60 IN SVCB 0 svchain10000000000000000000000000.yourdomain.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Nov 08 23:24:11 +04 2024 ;; MSG SIZE rcvd: 129
The domain name will never be fully resolved as the incremental process continues indefinitely.
As mentioned in the description, this module also supports DNS queries for locating different services using the underscore (_) prefix notation. This example demonstrates such usage, where we search for an HTTP service specifically designed for mobile devices and running over TCP. We receive an incremented SVCB alias record as expected:
# dig _mobile._http._tcp.svchain100.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> _mobile._http._tcp.svchain100.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3128 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_mobile._http._tcp.svchain100.yourdomain.com. IN A ;; ANSWER SECTION: _mobile._http._tcp.svchain100.yourdomain.com. 60 IN SVCB 0 _mobile._http._tcp.svchain101.yourdomain.com. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Fri Nov 08 23:24:12 +04 2024 ;; MSG SIZE rcvd: 122
From the same category
- Chain - Alias Chains
- CnChain - CNAME Alias Chains
- DnChain - DNAME Alias Chains
- HtChain - HTTPS Alias Chains
- MxChain - MX Alias Chains
- NsChain - NS Alias Chains
- SpfChain - SPF (TXT) Alias Chains
- SrChain - SRV Alias Chains