Test your resolver

Notice

On this site, we provide a simple online tool to test for some of the vulnerabilities. This test cannot detect all resolver misinterpretation vulnerabilities as the required queries cannot be triggered with javascript in all cases. To test for all vulnerabilities, you can download our test tool or conduct a manual test.

Download tool Manual test

Online Test

The results of this tool are collected anonymously in order to improve collect more inforamtion about vulnerable systems and networks and to improve the security of DNS infrastructure in the Internet. If you do not agree with this data collection, you can still test your DNS resolver manually, we provide instructions on how to conduct such a manual test as https://xdi-attack.net/test.html

Overriding via zero-byte

This test works feeding the resolver with the following records:

    cnamedot.attacker.com.        IN CNAME   victim.com\000.attacker.com.
    victim.com\000.attacker.com.  IN A       6.6.6.6

When processing the victim.com\000.attacker.com name, the resolver might confuse it with the legitimate victim.com domain, thereby replacing the IP address for victim.com with the attacker's address (6.6.6.6).


Detailed results for different attack variants:

  • Direct CNAME: {{results.tests["victim"].result == 'attacker' ? "vulnerable" : (results.tests["victim"].result == "victim" ? "not vulnerable" : "unclear result")}}.
  • Deferred CNAME (1): {{results.tests["victim-deferred-1"].result == 'attacker' ? "vulnerable" : (results.tests["victim-deferred-1"].result == "victim" ? "not vulnerable" : "unclear result")}}.
  • Deferred CNAME (2): {{results.tests["victim-deferred-2"].result == 'attacker' ? "vulnerable" : (results.tests["victim-deferred-2"].result == "victim" ? "not vulnerable" : "unclear result")}}.
  • Direct A: This attack variant cannot be checked online, please download our tool or conduct a manual test.


Overriding via dot in label

This test work feeding the resolver with the following records:

    cnamedot.attacker.com.         IN CNAME   www\.victim.com.
    www\.victim.com.               IN A       6.6.6.6

When processing the www\.victim.com name, the resolver might confuse it with the legitimate www.victim.com domain, thereby replacing the IP address for www.victim.com with the attacker's address (6.6.6.6).


Detailed results for different attack variants:

  • Direct CNAME: {{results.tests["victim.dot"].result == 'attacker' ? "vulnerable" : (results.tests["victim.dot"].result == "victim" ? "not vulnerable" : "unclear result")}}.
  • Deferred CNAME (1): {{results.tests["victim-deferred-1.dot"].result == 'attacker' ? "vulnerable" : (results.tests["victim-deferred-1.dot"].result == "victim" ? "not vulnerable" : "unclear result")}}.
  • Deferred CNAME (2): {{results.tests["victim-deferred-2.dot"].result == 'attacker' ? "vulnerable" : (results.tests["victim-deferred-2.dot"].result == "victim" ? "not vulnerable" : "unclear result")}}.
  • Direct A: This attack variant cannot be checked online, please download our tool or conduct a manual test.


Special character filtering

These tests will test if your resolver validates hostnames per RFC952. Other than domain names, which can contain arbitrary characters, hostnames are only allowed to contain the characters [0-9a-z-.]. To reduce the chance the an application which is unaware of this is attacked using a domain name containg an injection payloads, stub resolvers should thereby filtering such names.


Resolvers tested

During the tests we saw the following addresses of DNS resolvers used by your web browser:

{{as.as.name}} AS{{as.as.asn}} ({{as.as.country}})

Raw test results

In case you are interested you can look at th raw test result data here.

{{json(results)}}