UDP Packet Hack

Karl Auer kauer at biplane.com.au
Wed Jun 22 01:28:23 UTC 2016

On Wed, 2016-06-22 at 01:06 +0000, Jun Xiang X Tee wrote:
>   I am working on hacking UDP packets returned to "dig" client. I
> wish to include some extra information about the "digged" domain
> (e.g., facebook.com) at Additional Section of "dig" reply in TXT
> format. The ideal result is to be able to see the hacked UDP packets
> having the extra information using tools such as Wireshark.

You can't change what the authoritative servers for the facebook.com
domain return.

You could hack a server in between your dig client and Facebook, though
- dig requests info from your server, your server requests info from
Facebook, your server modifies the response from Facebook, your server
returns the modified response to dig (or whatver made the query)

You would need to either return the new information in a form
compatible with what dig expects, or you would have to hack dig as
well. If you did that, ordinary clients might no longer be able to use
the server.

>I am still confused on where "dig" gets the UDP packets from.

dig makes its own outbound UDP packets (and TCP packets don't forget!).
Inbound packets come from whatever server is responding to dig's

Below are my questions:

>   (1) Does "dig" get its UDP packets from "named" server? Or "lwresd"
> server? Or others?

>From whatever server its request went to. You could find out by
watching the traffic with eg Wireshark. If you specify the server to
dig with @server, then that is the server sending responses packets to

>   (2) For hacking purpose, I should work on BIND9 source codes. I
> don't need to install BIND9 using "apt-get install", right?

If you are building and installing from source, right.

>   (3) Lastly, the most important question: How should I configure DNS
> server for "dig"?

You don't need to unless you are modifying the protocol. The server
will not know it is "dig" querying it; as far as the server is
concerned it's just receiving and responding to queries from clients.

>         I think what I should do is "./dig @chosen_DNS_server
> google.com",  but I do not know how to configure the server.

Not sure what you mean by "configure the server". What DO you mean by
"configure the server"?

Regards, K.

Karl Auer (kauer at biplane.com.au)

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

More information about the bind-users mailing list