Skip to content

Latest commit

 

History

History
389 lines (321 loc) · 20.1 KB

cname-fuzzing.md

File metadata and controls

389 lines (321 loc) · 20.1 KB

PolarDNS catalogue - CNAME fuzzing

  1. General features
  2. Aliases, loops and chains
  3. Response modifiers
  4. CNAME fuzzing
  5. Bad compression
  6. Empty responses
  7. Record injections

Variety of scenarios involving illegally specified CNAME record(s) in the response.

Long CNAME alias of arbitrary size (bigcname)

Respond with a randomly generated CNAME of arbitrary size, capable of creating oversized domain labels and domain names.

format:bigcname.<LABEL-SIZE-1>.[<LABEL-SIZE-N>].yourdomain.com
remark:Max label size is 63
remark:Max size of the whole domain name is 255
example:dig bigcname.63.63.63.yourdomain.com @127.0.0.1
example:dig bigcname.63.63.63.63.63.63.63.63.yourdomain.com @127.0.0.1

Sample:

# dig bigcname.63.63.63.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> bigcname.63.63.63.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39565
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bigcname.63.63.63.yourdomain.com. IN	A

;; ANSWER SECTION:
bigcname.63.63.63.yourdomain.com. 60 IN	CNAME	always.up42ifbdztiqsnagsvkxw6x5i2fhhnqp8zrxpi8srwom391cdxfnlhkuckg9c9l.r53nipw6v2fqabq1f4bqy5l3hslopexhn4nm8kahrahopef4417kcsued0b74ae.dl0g71w52tudrv1wuotg9o6oayhaxl0liyckknjw6tf6zrxcw7knobzzfboa54x.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 02 16:35:02 +04 2023
;; MSG SIZE  rcvd: 309

Long CNAME with arbitrary number of labels (manylabels)

Respond with a CNAME containing arbitrary number of labels (domain components), capable of creating oversized domain labels and domain names.

format:manylabels.<NUMBER-OF-LABELS>.<LABEL-SIZE>.yourdomain.com
remark:Max label size is 63
remark:Max size of the whole domain name is 255
example:dig manylabels.100.yourdomain.com @127.0.0.1
example:dig manylabels.50.2.yourdomain.com @127.0.0.1
example:dig manylabels.300.yourdomain.com @127.0.0.1

Sample:

# dig manylabels.100.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> manylabels.100.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4688
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;manylabels.100.yourdomain.com.	IN	A

;; ANSWER SECTION:
manylabels.100.yourdomain.com. 60 IN	CNAME	always.t.g.k.s.h.z.b.u.s.d.y.s.b.6.o.h.8.5.r.z.r.z.b.n.w.g.r.r.y.p.9.b.7.9.m.w.r.m.d.3.9.d.q.1.x.d.m.1.f.0.i.u.3.4.e.5.4.u.i.5.k.u.y.x.i.s.v.s.k.p.h.a.r.q.w.g.7.m.t.z.s.x.n.g.g.0.2.h.n.f.q.o.2.e.0.c.3.2.v.h.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 08 16:37:15 +04 2023
;; MSG SIZE  rcvd: 311

Many always CNAME aliases (manycnames)

DEPRECATED❗ Use an alias with the nfz name fuzzer which has more powerful features.

Respond with a arbitrary number of randomly generated CNAME records.

format:manycnames.<NUMBER-OF-RECORDS>.yourdomain.com
example:dig manycnames.50.yourdomain.com @127.0.0.1
example:dig manynames$((RANDOM)).800.yourdomain.com @127.0.0.1

Sample:

# dig manycnames.50.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> manycnames.50.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56180
;; flags: qr aa; QUERY: 1, ANSWER: 50, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;manycnames.50.yourdomain.com.	IN	A

;; ANSWER SECTION:
manycnames.50.yourdomain.com. 60 IN	CNAME	always278.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always22570.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always17742.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always64673.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always23037.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always97747.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always75494.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always15521.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always93306.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always18545.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always68064.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always80183.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always77186.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always91741.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always71768.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always71703.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always39237.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always50368.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always85898.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always35779.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always99936.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always79473.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always32149.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always77880.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always295.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always10366.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always10792.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always86822.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always45845.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always40760.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always98867.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always68554.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always72340.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always13631.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always82567.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always74815.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always40411.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always18058.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always34323.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always31600.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always78690.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always44918.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always85167.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always81033.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always40362.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always69852.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always49212.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always39463.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always96455.yourdomain.com.
manycnames.50.yourdomain.com. 60 IN	CNAME	always3338.yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 08 10:40:18 +04 2023
;; MSG SIZE  rcvd: 3441

Many random CNAME aliases, textual (cnamefuzz1)

DEPRECATED❗ Use an alias with the nfz name fuzzer which has more powerful features.

Respond with many CNAME answers where each answer contains a random string of specified length, made of all kinds of illegal ASCII characters that are likely not allowed in a domain name.

format:cnamefuzz1.<NUMBER-OF-CNAMES>.<CNAME-STRING-SIZE>.yourdomain.com
example:dig cnamefuzz1.10.10.yourdomain.com @127.0.0.1
example:dig cnamefuzz1whatever.10.10.yourdomain.com @127.0.0.1

Sample:

# dig cnamefuzz1.10.10.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> cnamefuzz1.10.10.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24247
;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cnamefuzz1.10.10.yourdomain.com. IN	A

;; ANSWER SECTION:
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	]i\$?U^*[kQ.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	h\011oK0+loF?.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	mbLbcD]gMG.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	:%}pDmLVd*.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	eqZ2e]LnnI.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	70D&,\013\012>`<.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	B]\$!Ct-Dlr.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	'p\010\(~XC2KA.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	_#3<%FcG6~.
cnamefuzz1.10.10.yourdomain.com. 60 IN	CNAME	/._\012\009rr\"\;q.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 02 16:44:56 +04 2023
;; MSG SIZE  rcvd: 599

Many random CNAME aliases, binary (cnamefuzz2)

DEPRECATED❗ Use an alias with the nfz name fuzzer which has more powerful features.

Respond with many CNAME answers where each answer contains a random binary string (NULL terminated) of specified length.

format:cnamefuzz2.<NUMBER-OF-CNAMES>.<CNAME-STRING-SIZE>.yourdomain.com
example:dig cnamefuzz2.10.10.yourdomain.com @127.0.0.1
example:dig cnamefuzz2whatever.10.10.yourdomain.com @127.0.0.1

Sample:

# dig cnamefuzz2.10.10.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> cnamefuzz2.10.10.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46795
;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cnamefuzz2.10.10.yourdomain.com. IN	A

;; ANSWER SECTION:
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\143\239\161d\21575%3\172.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\146y%\255!\)\174\175\222n.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\165\224\189\022o\008\137Uz\186.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\229\158\191\1526\179se\012\234.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\218C\004\018W\130\222W+\154.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\025\027\246|\136w\223K\019\221.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\149\149m\149\214s\167\198\015r.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\209\240k\185\206\144:s6\235.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\237\192]q\137\027\016\248\214\192.
cnamefuzz2.10.10.yourdomain.com. 60 IN	CNAME	\231\011<\186\023\145\232j\208\..

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 02 16:35:02 +04 2023
;; MSG SIZE  rcvd: 599

CNAME alias with a dot in different positions (dotcname)

Respond with CNAME (always123456.yourdomain.com) containing dot character (.) in different positions based on selected variant.

format:dotcname.<VARIANT-1-7>.yourdomain.com
remark:VARIANT produces the following responses:
1always[DOT]123456.yourdomain.com
2always[DOT]a123456.yourdomain.com
3always123456[DOT]yourdomain.com
4always123456.yourdomain[DOT]com
5always123456.yourdomain.com[DOT]
6always123456.yourdomain.com.[DOT]
7always123456[DOT]yourdomain[DOT]com
example:dig dotcname.1.yourdomain.com @127.0.0.1
example:dig dotcnameanything.1.yourdomain.com @127.0.0.1

Sample:

# dig dotcname.1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> dotcname.1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54790
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dotcname.1.yourdomain.com.	IN	A

;; ANSWER SECTION:
dotcname.1.yourdomain.com. 60	IN	CNAME	always\.656868.yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Wed Nov 08 00:33:00 +04 2023
;; MSG SIZE  rcvd: 110

Resolvable CNAME with arbitrary byte string (cgena / badcname)

Respond with CNAME (always123456.yourdomain.com) containing arbitrary number of characters (bytes) in different positions based on the selected variant.

format:cgena.<VARIANT-1-9>.<BYTE-0-255>.<HOWMANY>.yourdomain.com
remark:VARIANT produces the following responses:
1<BAD>.always123456.yourdomain.com
2<BAD>always123456.yourdomain.com
3always<BAD>123456.yourdomain.com
4always123456<BAD>.yourdomain.com
5always123456<BAD>yourdomain.com
6always123456.yourdomain<BAD>.com
7always123456.yourdomain.<BAD>com
8always123456.yourdomain.com<BAD>
9always123456.yourdomain.com.<BAD>
example:dig cgena.5.0.4.yourdomain.com @127.0.0.1
example:dig cgena.1.0.5.yourdomain.com @127.0.0.1
example:dig cgenaanything.1.255.100.yourdomain.com @127.0.0.1

Sample:

# dig cgena.5.0.4.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> cgena.5.0.4.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60598
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cgena.5.0.4.yourdomain.com.	IN	A

;; ANSWER SECTION:
cgena.5.0.4.yourdomain.com. 60	IN	CNAME	always956701\000\000\000\000yourdomain.com.

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 09 21:58:55 +04 2023
;; MSG SIZE  rcvd: 114

Unresolvable CNAME with arbitrary byte string (cgenb)

Respond with CNAME (nonres123456.yourdomain.com) containing arbitrary number of characters (bytes) in different positions based on the selected variant.

format:cgenb.<VARIANT-1-9>.<BYTE-0-255>.<HOWMANY>.yourdomain.com
remark:VARIANT produces the following responses:
1<BAD>.nonres123456.yourdomain.com
2<BAD>nonres123456.yourdomain.com
3nonres<BAD>123456.yourdomain.com
4nonres123456<BAD>.yourdomain.com
5nonres123456<BAD>yourdomain.com
6nonres123456.yourdomain<BAD>.com
7nonres123456.yourdomain.<BAD>com
8nonres123456.yourdomain.com<BAD>
9nonres123456.yourdomain.com.<BAD>
example:dig cgenb.5.255.10.yourdomain.com @127.0.0.1
example:dig cgenb.5.39.5.yourdomain.com @127.0.0.1
example:dig cgenbanything.1.255.100.yourdomain.com @127.0.0.1

Sample:

# dig cgenb.5.255.10.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> cgenb.5.255.10.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24209
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cgenb.5.255.10.yourdomain.com.	IN	A

;; ANSWER SECTION:
cgenb.5.255.10.yourdomain.com. 60 IN	CNAME	nonres030594\255\255\255\255\255\255\255\255\255\255yourdomain.com.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 09 21:39:31 +04 2023
;; MSG SIZE  rcvd: 126

Illegal CNAME formats (illcname)

DEPRECATED❗ Use an alias with the nfz name fuzzer which has more powerful features.

Respond with CNAME alias containing a hostname in an illegal form e.g. containing an IP address, a port number or an URL, based on the selected variant.

format:illcname.<VARIANT-1-12>.yourdomain.com
remark:VARIANT produces the following responses:
1http://always779768.yourdomain.com/
2http://always799902.yourdomain.com:80/
3https://always725764.yourdomain.com/
4https://always006450.yourdomain.com:443/
5always279856.yourdomain.com:80
6always260211.yourdomain.com:443
71.2.3.4DNS name notation
81.2.3.4:80DNS name notation
91\.2\.3\.4DNS name notation (using a single label with actual dot symbols)
101\.2\.3\.4:80DNS name notation (using a single label with actual dot symbols)
11192.0.2.1DNS name notation (our own IP address)
12192.0.2.1:80DNS name notation (our own IP address)
remark:The DNS name notation is a format used for hostnames and domain names, not IP addresses.
example:dig illcname.1.yourdomain.com @127.0.0.1
example:dig illcname.9.yourdomain.com @127.0.0.1
example:dig illcnameanything.1.yourdomain.com @127.0.0.1

Sample:

# dig illcname.1.yourdomain.com @127.0.0.1

; <<>> DiG 9.18.10-2-Debian <<>> illcname.1.yourdomain.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55661
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;illcname.1.yourdomain.com.	IN	A

;; ANSWER SECTION:
illcname.1.yourdomain.com. 60	IN	CNAME	http://always208174.yourdomain.com/.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Thu Nov 09 21:50:35 +04 2023
;; MSG SIZE  rcvd: 117

Go back to menu.