Stuffing JavaScript into DNS TXT Records

This is from the slightly interesting notebook.

If you check out the TXT record for you’ll see there is a record

stuffed with Javascript, which will fire in a lot of whois web services.

scott$   dig txt


;; ANSWER SECTION: 300 IN TXT “<script type=‘text/javascript’>alert(‘This is from a DNS record!’);</script>”

You can see this firing in action over at, I’m not picking on them specifically, there were a number of online tools that were vulnerable to this.

I’d be interested to see if you have any more creative ideas on what we can do with this.