DNS packet identification

Question

DNS packet identification

When you look at packet byte code, how do you define a dns packet. The IP header protocol field indicates that a UDP frame should be used, but there is no protocol field inside the UDP frame to indicate what will happen next, and from what I see, there is nothing inside the frame to uniquely identify it as dns package.

+5

unix networking dns sockets

user819835 Sep 27 '11 at 6:57

source share

2 answers

? 53 .

-3

ktf 27 . '11 8:01

Alnitak · Accepted Answer · 2011-09-27T08:46:02+0000

Besides the fact that it is located on port 53, there are a few things you can look at that can give a hint that you are looking at DNS traffic.

I will refer to the field names used in §4.1 of RFC 1035 here:

                                1  1  1  1  1  1
  0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                      ID                       |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    QDCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ANCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    NSCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
|                    ARCOUNT                    |
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

, 12 - 2 , 2 4 x 2 .

DNS QDCOUNT (0x0001). , .

(QR == 0) ANCOUNT NSCOUNT (0x0000), ARCOUNT 0, 1 2, , EDNS0 (RFC 2671) TSIG (RFC 2845). RCODE .

, , .

, QR , , , QDCOUNT . . , 255, 4, 6, 8 10, .

, , (§4.1.2). , (QNAME) (QTYPE QCLASS).

[ , . , , . , .]

, , , , 16- QTYPE QCLASS. QCLASS, 1 IN ( "" ), 3 CH ().

, - , .

DNS packet identification

More articles: