Fun with domain names

Fun with domain names - The WWW

Users browsing this thread: 3 Guest(s)

	venam Offline \| 24-08-2020, 08:25 AM \| #1

Hello nixers,
This thread is simply a write-up about a fun experiment we did on IRC, putting an ephemeral conversation into ink.
Pasting any of the following in your browser URL bar redirects/resolves to nixers.net:

Code:
https://𝕟𝕚𝕩𝕖𝕣𝕤.𝕟𝕖𝕥

https://ⓝⓘⓧⓔⓡⓢ.ⓝⓔⓣ

https://𝐧𝐢𝐱𝐞𝐫𝐬.𝐧𝐞𝐭

https://𝖓𝖎𝖝𝖊𝖗𝖘.𝖓𝖊𝖙

Interesting, so at which level does the conversion happens, we know DNS only supports ascii and would actually convert unicode to punycode if it encounted some.
The same behavior happens with curl and dig, and snooping it with wireshark shows that the actual request sent for A is nixers.net.

Code:
dig @8.8.8.8 A ⓝⓘⓧⓔⓡⓢ.ⓝⓔⓣ

My guess, is that DNS doesn't actually handle such wide characters but that the tool fallback on a library that does the normalization for them.

Let's test if the DNS resolves by packing our own request and sniffing it with wireshark:

Code:
echo -n -e 

"\x13\x37\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x18𝖓𝖎𝖝𝖊𝖗𝖘\x0c𝖓𝖊𝖙\x00\x00\x01\x00\x01" | nc -u -w1 8.8.8.8 53

(Replace Google's DNS with your favorite one)

And nope, it doesn't work, we get a server error:

[Image: tvx7ozx.png]

So it's a local conversion to ascii, using normalization.
From the command line you can test using the following:

Code:
> iconv -f utf-8 -t ascii//TRANSLIT <<<𝖓𝖎𝖝𝖊𝖗𝖘.𝖓𝖊𝖙

nixers.net

And that explains our initial issue. However, I'm still wondering which library does the conversion in all these tools, let me know if you find it, my strace log was too big and I didn't want to parse it.

EDIT: I've actually found where the DNS translation is done in all these tools, they rely on getaddrinfo(3) and other OS libs.
So it start from getaddrinfo to then either calls __idna_to_dns_encoding or __idna_to_ascii_lz depending on the version (my guess), which relies on libidn. So libidn is doing all the dirty work.

Code:
~ > ldd $(which curl) | grep libidn 

    libidn2.so.0 => /usr/lib/libidn2.so.0 (0x00007fe303ea0000)

You can actually test it on the command line too, similar to uconv:

Code:
> idn --idna-to-ascii 'https://𝐧𝐢𝐱𝐞𝐫𝐬.𝐧𝐞𝐭'

https://nixers.net

The relevant part of the getaddrinfo docs:

Other interesting thing you can do with browsers and domain names:

Point your domain name to 127.0.0.1, trick the user if they have currently a server running locally
Representing the IP in different form such as a single 4B integer: http://2990468176 or multiple Bytes. Even though it isn't in the URL standard
The usual homoglyph attack, using characters that could be confused with other ones, for example: https://paypal.com@2990468176

Yep, the web is kind of complicated...

Messages In This Thread

Fun with domain names - by venam - 24-08-2020, 08:25 AM

RE: Fun with domain names - by z3bra - 24-08-2020, 09:23 AM

RE: Fun with domain names - by venam - 24-08-2020, 09:26 AM

RE: Fun with domain names - by s0kx - 24-08-2020, 12:33 PM

RE: Fun with domain names - by venam - 24-08-2020, 12:45 PM

RE: Fun with domain names - by jkl - 24-08-2020, 03:15 PM

RE: Fun with domain names - by z3bra - 25-08-2020, 10:24 AM

RE: Fun with domain names - by venam - 25-08-2020, 11:12 AM

RE: Fun with domain names - by z3bra - 25-08-2020, 11:36 AM

RE: Fun with domain names - by movq - 26-08-2020, 10:55 AM

RE: Fun with domain names - by venam - 26-08-2020, 11:16 AM

RE: Fun with domain names - by z3bra - 27-08-2020, 05:24 AM

RE: Fun with domain names - by venam - 27-08-2020, 05:41 AM

RE: Fun with domain names - by venam - 27-08-2020, 07:00 AM

View a Printable Version