Support Center > Search Results > SecureKnowledge Details
DNS Attack Info: "Bad domain format, illegal ASCII value in domain"
Symptoms
  • Error in SmartView Tracker: "Bad domain format, illegal ASCII value in domain".
Cause
The domain representation is the list of strings, separated by dots and terminated by a null terminator. It corresponds to an address of a host on the Internet.

This error is generated when a DNS message contains a domain name with characters that do not comply with the DNS RFCs.
RFC 1035 has restricted the domain characters to letters/digits/hyphen (known as the "LDH rule"). RFC 2872 (discussing SRV records) has added the usage of underscores in domains.

To recap, the illegal characters are any character other than letters (a-z, A-Z), digits (0-9), hyphen (-), and underscore (_).

This protection is part of DNS enforcement and will be disabled in future versions, due to the internationalization tendencies of the Internet, and the ongoing discussion of this issue. While DNS purists say that labels in domain names can contain any binary value, US-ASCII characters are really the only values that are useful and supported by all DNS implementations.
Solution
The error is displayed and packets are dropped because they do not comply with the protocol. It may indicate a malicious attempt to attack the system.

It is possible to add up to four extra characters that have decimal value less than 128, using the kernel global parameter dns_allowed_chars.
For instructions on how to edit kernel global parameters, refer to sk26202.

For example, in order to allow backtick (`), define the parameter dns_allowed_chars with a value of 96.

To allow more than one extra character via dns_allowed_chars, multiply one value by 256 and add the second.
For example, in order to allow both backtick (96) and exclamation mark (33), dns_allowed_chars can be set to 96*256+33 (24609).

In general, assuming a b c d are four decimal values, in order to allow all of them, dns_allowed_chars should be set to a*256*256*256+b*256*256+c*256+d.

This method cannot be applied to characters of any decimal value. It only works for a decimal value that is less than 128 (i.e. 128 > a,b,c,d >= 0).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment