SvLoop - SVCB Alias Loops

SvLoop - SVCB Alias Loops

This module implements alias loops using SVCB (Service Binding) records. The loops can be a direct loop, where the alias points back to the same domain name as in the original query, or they can include multiple elements, cycling through a specified number of domains.

The idea is that if the client/resolver decides to resolve this further, it will enter an infinite loop. In practice, however, most modern resolvers detect such loops and terminate the resolution.

Note that SVCB records include a SvcPriority field. In this module, the field always set to 0.

Additionally, the module supports DNS queries for locating different services using the underscore (_) prefix notation, also known as Attrleaf naming pattern, service labels, or underscore labels (RFC8552, RFC8553).

Note that this feature provides the same functionality as requesting a SVCB record for the generic loop feature.

BEWAREThis can potentially lead to a domain lock-up (DoS).

Category: Alias loops

Tags: Domain Lock-Up, Denial of Service

RFCs: RFC9460, RFC8552, RFC8553

Format

svloop.<NUMBER>.yourdomain.com

Where:

  • The <NUMBER> parameter specifies the number of elements the loop should contain.

Examples

In this example, we can see a direct loop formed by requesting an SVCB record containing the exact same domain name:

# dig svloop.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> svloop.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24227
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;svloop.yourdomain.com.		IN	A

;; ANSWER SECTION:
svloop.yourdomain.com.	60	IN	SVCB	0 svloop.yourdomain.com.

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 06 12:02:16 +04 2024
;; MSG SIZE  rcvd: 76

Download PCAP File


In this example, we request a SVCB alias loop consisting of 5 elements:

# dig svloop.5.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> svloop.5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19920
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;svloop.5.yourdomain.com.	IN	A

;; ANSWER SECTION:
svloop.5.yourdomain.com. 60	IN	SVCB	0 svloop.5.1.yourdomain.com.

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 06 12:02:17 +04 2024
;; MSG SIZE  rcvd: 82

Download PCAP File

The resulting domain name svloop.5.1.yourdomain.com represents the 1st element of the loop.


By resolving the 1st element, we are pointed to the 2nd element of the loop:

# dig svloop.5.1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> svloop.5.1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10747
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;svloop.5.1.yourdomain.com.	IN	A

;; ANSWER SECTION:
svloop.5.1.yourdomain.com. 60	IN	SVCB	0 svloop.5.2.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 06 12:02:19 +04 2024
;; MSG SIZE  rcvd: 84

Download PCAP File

This continues up to the 5th and final element — svloop.5.5.yourdomain.com.


By resolving the final element of the loop, we are directed back to the 1st element again:

# dig svloop.5.5.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> svloop.5.5.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5592
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;svloop.5.5.yourdomain.com.	IN	A

;; ANSWER SECTION:
svloop.5.5.yourdomain.com. 60	IN	SVCB	0 svloop.5.1.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 06 12:02:20 +04 2024
;; MSG SIZE  rcvd: 84

Download PCAP File

We can see that we are indeed pointed back to the 1st element again, effectively forming a loop.


As mentioned in the description, this module also supports DNS queries for locating different services using the underscore (_) prefix notation. This example demonstrates such usage, where we search for an HTTP service specifically designed for mobile devices and running over TCP. In this case, we request a loop of 10 elements:

# dig _mobile._http._tcp.svloop.10.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> _mobile._http._tcp.svloop.10.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16456
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_mobile._http._tcp.svloop.10.yourdomain.com. IN	A

;; ANSWER SECTION:
_mobile._http._tcp.svloop.10.yourdomain.com. 60	IN SVCB	0 _mobile._http._tcp.svloop.10.1.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 06 12:02:21 +04 2024
;; MSG SIZE  rcvd: 122

Download PCAP File

The resulting domain name _mobile._http._tcp.svloop.10.1.yourdomain.com represents the 1st element of the loop.


From the same category

See also


Go back to catalogue.