DNS (domain Name System), the Internet as the domain name and
A distributed database that maps IP addresses to each other, making it easier for users to access
Network, instead of remembering the number of IP strings that can be read directly by the machine. By host name,
The process of eventually getting the IP address for that hostname is called the Domain name resolution (or hostname solution).
Analysis). The DNS protocol runs on top of the UDP protocol, using the port number 53. In the RFC document
In RFC 2181, there is a specification for DNS, and RFC 2136 makes dynamic updates to DNS
Description, RFC 2308 describes the reverse caching of DNS queries. I. Naming rules for domain names
1. Characters that can only be included
26 English characters
"0,1,2,3,4,5,6,7,8,9" 10 numbers
"-" (conjunction number in English)
2. Character combination rules
In the domain name, the case of the English alphabet is not distinguished
There is a certain limit to the length of a domain name
Domain Name Example: www.baidu.com
gd.122.gov.cn
www.chinaedu.edu.cn
www.zephyrproject.org Second, domain name request packet Analysis
The following figure is a crawl of a DNS request package:
The contents of the DNS request package are as follows:
2f 1f, at xx, XX, xx
6f 6f Geneva 6f 00 00 01 00 01
The contents of each field are as follows:
Transaction id:0x2f1f (2byte)
FLAGS:0X0100 (2byte)
Questions:1 (2byte)
Answer rrs:0 (2byte)
Authority rrs:0 (2byte)
Additional rrs:0 (2byte)
Queries
Name:dwn.roo.bo (corresponds to 6e, 6f 6f, 6f 00)
Type:a (Host Address) (1) (2byte)
Class:in (0x0001) (2byte)
The length of most items in the DNS information is deterministic, the only one being the name in queries
is variable in length,
The code for Name is as follows: Name:dwn.roo.bo (corresponds to 6e 03 72
6f 6f 6f 00)
where "." As a separator, as above: Dwn (corresponding to 6e) indicates that this
A length of 3, followed by 3 character code, the following paragraphs are the same way, only
is at the end of the last place 00 is indicated. third, DNS response packet Analysis
The following figure is the answer packet
The contents of the DNS reply package are as follows:
2f 1f, Bayi, XX, XX
6f 6f Geneva, 6f, XX,
6f 6f Geneva 4f (XX) (EF)
1c 6e, 6f 6f, 6f 01 77 09
6c 6b 6e 6c C0 6e 32 6e
The EF-5a cc of the XX
The contents of each field are as follows:
Domain Name System (response)
Transaction id:0x2f1f (2byte)
flags:0x8180 (2byte)
Questio Ns:1 (2byte)
Answer rrs:2 (2byte)
Authority rrs:0 (2byte)
Additional rrs:0 (2byte)
Queries
Name: Dwn.roo.bo (corresponds to 6e, 6f 6f, 6f)
Type:a (Host Address) (1) (2byte)
Class:in (0x0001) (2byte) br> Answers
Name:dwn.roo.BO (corresponds to 6e 6f 6f, 4f)
Type:cname (5) (2byte)
Class:in (0x0 001) (2byte)
Time to live:495 (4byte)
Data length:28 (2byte)
Cname:dwn.roo.bo.w.alikunlun.net (corresponds to 03 64 77 6 e 6f 6f Geneva 6f--------------6b 6e br> type:a (Host Address) (1) (2byte)
Class:in (0x0001) (2byte)
Time to live:495 (4byte)
Data length:4 (2b Yte)
address:112.90.32.204 (4byte)
The corresponding relationship between the fields in the above packet is quite clear.
Name:dwn.roo.BO the last segment in answers is capitalized and differs from
queries, so the name needs to be used (6e, 6f 6f, 4f 00). Can be indicated by the pointer, only the
need 2byte is enough.
The name:dwn.roo.bo.w.alikunlun.net and CNAME:
Dwn.roo.bo.w.alikunlun.net names in answers are identical and can be used as pointers (C0
32) indicates name:dwn.roo.bo.w.alikunlun.net. (C0 32) of these two
Byte, the highest two bit is 11, the way (not the way, the highest two bit
is 00), the remaining 14bit means that the name is located in the position of the beginning of the DNS information to shift the position of a bias, This means that name starts at the length of the DNS offset 0x32, as follows
the contents of the red label are from the DNS 0x32 location.
2f 1f Bayi, XX, the xx xx xx (6e
), 6f 6f, 6f, XX, XX, and the At 4f, the following is the content from the 0x32 location, under the EF
XX 1c
.
6e, 6f 6f, 6f, and so on
, 6c, 6b, 6e, 6c, 6e, 6e, and XX,