DNS stands for Domain Name System. DNS is used by all machines to translate hostnames into IP addresses. This mechanism is used to translate names to attributes such as addresses (IPv4/IPv6) based on the query type.
DNS has three major components:
This topic will focus on the resolver perspective, where the client sends a query to the server and the server answers the query. There can be multiple answers to the same query.
Wireshark's dns
filter is used to display only DNS traffic, and UDP port 53
is used to capture DNS traffic.
The default DNS port is 53
, and it uses the UDP protocol. Some DNS systems use the TCP protocol also. TCP is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers.
The following format is used by the DNS system:
Field |
Description |
Length |
Wireshark filter |
---|---|---|---|
NAME |
The owner name |
variable |
|
TYPE |
Type of Resource Record (RR) in numeric form |
2 |
|
CLASS |
Class code |
2 |
|
TTL |
Time to live |
4 | |
RDLENGTH |
2 | ||
RDATA |
Additional RRspecific data |
Variable |
In this chapter, the dig
and nslookup
network commands are used to query the DNS server. Open the sample DNS-Packet.pcap
file, set the display filter to dns.qry.type==28
, and examine the query.
In this example, client (192.168.1.101
) is asking the name server (8.8.4.4
) to resolve ipv6.google.com
by setting these parameters in the query section:
ipv6.google.com
)IN (Internet)
)8.8.4.4
) responds to the client with multiple answersipv6.google.com
is the canonical name that equals ipv6.l.google.com
ipv6.l.google.com
has the AAAA address 2404:6800:4007:805::200e
User can use the popular dig
or nslookup
network utility commands to query different DNS record types. Use a network capture in the background and observe the query and answer section for each command:
bash# nslookup google.com bash# dig google.com bash# dig A +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
AXFR
record type; AXFR
is used to transfer zone files from the master to the secondary name server:bash# nslookup -type=axfr google.com 8.8.4.4 bash# dig AXFR +noadditional +noquestion +nocomments +nocmd +nostats +multiline google.com. @8.8.4.4
CNAME
record type. CNAME
is used to set up the alias:bash# nslookup -type=cname google.com 8.8.4.4 bash# dig CNAME +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
MX
record type; MX
is the mail exchange record:bash# nslookup -type=mx google.com 8.8.4.4 bash# dig MX +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
NS
record type; NS
is the name server record:bash# nslookup -type=ns google.com 8.8.4.4 bash# dig NS +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
PTR
record type; PTR
is the pointer used for reverse DNS lookups:bash# nslookup -type=ptr google.com 8.8.4.4 bash# dig PTR +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
SOA
record type. SOA
is used to provide authoritative information such as nameserver and e-mail:bash# nslookup -type=soa google.com 8.8.4.4 bash# dig SOA +noadditional +noquestion +nocomments +nocmd +nostats +multiline google.com. @8.8.4.4
TXT
record type; this refers to the text record:bash# nslookup -type=txt google.com 8.8.4.4 bash# dig TXT +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
AAAA
(also referred to as the quad-A record type); this will display the IPv6 address of the given hostname:bash# nslookup -type=aaaa google.com 8.8.4.4 bash# nslookup -type=aaaa ipv6.google.com 8.8.4.4 bash# dig AAAA +noadditional +noquestion +nocomments +nocmd +nostats ipv6.google.com. @8.8.4.4
ANY
record type; this returns all record types:bash# nslookup -type=any google.com 8.8.4.4 bash# dig ANY +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4
3.16.79.65