Finding NUL Character SSL Domains

TL;DR

Yes, some SSL domains still contain the nul character (x00) for testing or legacy reasons. This guide shows you how to find them using online tools and command-line methods.

Finding Domains with NUL Characters in their Names

1. Understand the Problem: The nul character (x00) is a control character that can cause issues with DNS resolution and certificate validation. While generally discouraged, some domains were created with it intentionally for testing or due to historical quirks.
2. Use Online Tools: Several websites scan for domains containing the nul character. These are often the easiest way to find examples:
   • crt.sh: This is a powerful certificate search tool. You can use it to specifically look for certificates with domain names including %00 (the URL-encoded representation of the nul character).

     Go to https://crt.sh/ and enter %00 in the search box.

   • SSL Labs SSL Server Test: While not a direct finder, running tests on suspect domains identified elsewhere can confirm if they have issues related to nul characters.

     Go to https://www.ssllabs.com/ssltest/ and enter the domain name.

3. Command-Line Tools (dig): You can use dig to query DNS records directly, looking for responses that might indicate a nul character in the domain name.
   1. Basic dig command: This will show you all DNS records for a given domain.

      dig example.com

   2. Searching for specific patterns: You can filter the output of dig using tools like grep to look for the nul character’s encoded representation.

      dig example.com | grep '%00'

      Note: This method is less reliable as it depends on how the DNS server handles and returns results.

4. Command-Line Tools (nslookup): Similar to dig, nslookup can be used but offers less control over query types.

   nslookup example.com

   Again, filtering the output with grep '%00' might reveal nul characters.

5. Python Scripting (Advanced): For more automated searching, you can write a Python script using libraries like dnspython to query DNS records and check for the nul character.

   import dns.resolver
   
   def check_domain(domain):
       try:
           answers = dns.resolver.resolve(domain)
           for rdata in answers:
               if 'x00' in str(rdata):
                   print(f"Domain {domain} contains a nul character!")
       except dns.resolver.NXDOMAIN:
           pass # Domain does not exist
       except Exception as e:
           print(f"Error checking {domain}: {e}")
   
   # Example usage
   domain_list = ['example.com', 'test.com']
   for domain in domain_list:
       check_domain(domain)

6. Testing the Domains: Once you’ve identified potential domains, test them with an SSL checker (like SSL Labs) to confirm if the nul character causes issues.
7. Be Careful: Testing potentially malicious domains can be risky. Use a virtual machine or isolated environment for testing.