Test your resolver

Notice: This test cannot detect all resolver misinterpretation vulnerabilities as the required queries cannot be triggered with javascript in all cases.

Overriding via zero-byte (cnamezero)

This test work feeding the resolver with the following records:

    cnamedot.attacker.com.        IN CNAME   victim.com\000.attacker.com.
    victim.com\000.attacker.com.  IN A       6.6.6.6

When processing the victim.com\000.attacker.com name, the resolver might confuse it with the legitimate victim.com domain, thereby replacing the IP address for victim.com with the attacker's address (6.6.6.6).


Overriding via dot in label (cnamedot)

This test work feeding the resolver with the following records:

    cnamedot.attacker.com.         IN CNAME   www\.victim.com.
    www\.victim.com.               IN A       6.6.6.6

When processing the www\.victim.com name, the resolver might confuse it with the legitimate www.victim.com domain, thereby replacing the IP address for www.victim.com with the attacker's address (6.6.6.6).


Special character filtering

These tests will test if your resolver validates hostnames per RFC952. Other than domain names, which can contain arbitrary characters, hostnames are only allowed to contain the characters [0-9a-z-.]. To reduce the chance the an application which is unaware of this is attacked using a domain name containg an injection payloads, stub resolvers should thereby filtering such names.


Resolvers tested

During the tests we saw the following addresses of DNS resolvers used by your web browser:

{{as.as.name}} AS{{as.as.asn}} ({{as.as.country}})

Raw test results

In case you are interested you can look at th raw test result data here.

{{json(results)}}