Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

DNS

DNS stands for Domain Name System. DNS is used by all machines to translate hostnames into IP addresses. This mechanism is used to translate names to attributes such as addresses (IPv4/IPv6) based on the query type.

DNS has three major components:

A name space
Servers making that name space available
Resolvers (clients) that query the servers about the name space

This topic will focus on the resolver perspective, where the client sends a query to the server and the server answers the query. There can be multiple answers to the same query.

DNS Wireshark filter

Wireshark's dns filter is used to display only DNS traffic, and UDP port 53 is used to capture DNS traffic.

Port

The default DNS port is 53, and it uses the UDP protocol. Some DNS systems use the TCP protocol also. TCP is used when the response data size exceeds 512 bytes, or for tasks such as zone transfers.

Resource records

The following format is used by the DNS system:

Field	Description	Length	Wireshark filter
NAME	The owner name	variable	`dns.qry.name == "google.com"`
TYPE	Type of Resource Record (RR) in numeric form	2	`dns.qry.type == 1 (A Record Type)` `dns.qry.type == 255 (ANY Record Type)` `dns.qry.type == 2 (NS name server)` `dns.qry.type == 15(MX mail exchange)` `dns.qry.type == 28 (AAAA quad A, Ipv6 record Type)`
CLASS	Class code	2	`dns.qry.class == 0x0001 (IN set to internet)`
TTL	Time to live	4
RDLENGTH	Length in octets of the RDATA field	2
RDATA	Additional RRspecific data	Variable

DNS traffic

In this chapter, the dig and nslookup network commands are used to query the DNS server. Open the sample DNS-Packet.pcap file, set the display filter to dns.qry.type==28, and examine the query.

In this example, client (192.168.1.101) is asking the name server (8.8.4.4) to resolve ipv6.google.com by setting these parameters in the query section:

The client sets the record type AAAA record
The client sets the hostname (ipv6.google.com)
Client set the class (that is, IN (Internet))
The name server (8.8.4.4) responds to the client with multiple answers
ipv6.google.com is the canonical name that equals ipv6.l.google.com
ipv6.l.google.com has the AAAA address 2404:6800:4007:805::200e

User can use the popular dig or nslookup network utility commands to query different DNS record types. Use a network capture in the background and observe the query and answer section for each command:

Query a record type used to show the IPv4 address of the given hostname:

bash# nslookup google.com
bash# dig google.com
bash# dig A +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4

Query the AXFR record type; AXFR is used to transfer zone files from the master to the secondary name server:

bash# nslookup -type=axfr google.com 8.8.4.4
bash# dig AXFR +noadditional +noquestion +nocomments +nocmd +nostats +multiline google.com. @8.8.4.4

Query the CNAME record type. CNAME is used to set up the alias:

bash# nslookup -type=cname google.com 8.8.4.4
bash# dig CNAME +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4

Query the MX record type; MX is the mail exchange record:

bash# nslookup -type=mx google.com 8.8.4.4
bash# dig MX +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4

Query the NS record type; NS is the name server record:

bash# nslookup -type=ns google.com 8.8.4.4
bash# dig NS +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4

Query the PTR record type; PTR is the pointer used for reverse DNS lookups:

bash# nslookup -type=ptr google.com 8.8.4.4
bash# dig PTR +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4

Query the SOA record type. SOA is used to provide authoritative information such as nameserver and e-mail:

bash# nslookup -type=soa google.com 8.8.4.4
bash# dig SOA +noadditional +noquestion +nocomments +nocmd +nostats +multiline google.com. @8.8.4.4

Query the TXT record type; this refers to the text record:

bash# nslookup -type=txt google.com 8.8.4.4
bash# dig TXT +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4

Query AAAA (also referred to as the quad-A record type); this will display the IPv6 address of the given hostname:

bash# nslookup -type=aaaa google.com 8.8.4.4
bash# nslookup -type=aaaa ipv6.google.com 8.8.4.4
bash# dig AAAA +noadditional +noquestion +nocomments +nocmd +nostats ipv6.google.com. @8.8.4.4

Query the ANY record type; this returns all record types:

bash# nslookup -type=any google.com 8.8.4.4
bash# dig ANY +noadditional +noquestion +nocomments +nocmd +nostats google.com. @8.8.4.4

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for DNS

Create new playlist

Sign In

Sign Up

DNS

DNS Wireshark filter

Port

Resource records

DNS traffic

Table of Contents for
DNS