DNS Protocol Analysis

This is a creation in Article, where the information may have evolved or changed.

There is always a desire to know the principle of things to understand: computer networks, operating systems and so on. Study the DNS protocol well today.

The DNS protocol is the application layer protocol, generally based on the UDP protocol, but I see the Golang net packet in the relevant source is TCP protocol transmission. The port is 53, this time write code to implement the side of the DNS client, estimated short period of time forget this port number.

Understand DNS this protocol, from the book I basically did not understand, the book I basically remember that DNS is a recursive query, if the query server did not find the corresponding records, then recursion to query the top-level server. There is the root domain server in the United States these, anyway, I just never understand.

Yesterday found an article on the Internet [2], the above mentioned that the study agreement or with the help of Wireshark better, Linux is through the tcpdump and Wireshark combined to crawl the packet. The specific method can refer to my previous article. While the simulated DNS request, under Linux host www.cyeam.com , is under Windows nslookup www.cyeam.com .

10.00000010.0.1.2310.0.1.1DNS73Standard query 0x11ac  A www.cyeam.com20.06171410.0.1.110.0.1.23DNS123Standard query response 0x11ac  CNAME vm68h.x.incapdns.net A 149.126.77.152

My Computer IP is 10.0.1.23, router IP is 10.0.1.1, querying www.cyeam.com The DNS records of the website.

The requested content is as follows:

Domain Name System (query)    [Response In: 2]    Transaction ID: 0x11ac    Flags: 0x0100 Standard query0... .... .... .... = Response: Message is a query.000 0... .... .... = Opcode: Standard query (0).... ..0. .... .... = Truncated: Message is not truncated.... ...1 .... .... = Recursion desired: Do query recursively.... .... .0.. .... = Z: reserved (0).... .... ...0 .... = Non-authenticated data: Unacceptable    Questions: 1    Answer RRs: 0    Authority RRs: 0    Additional RRs: 0    Querieswww.cyeam.com: type A, class IN    Name: www.cyeam.com    Type: A (Host address)    Class: IN (0x0001)

The DNS protocol header is 12 bytes, a total of two items, each of which is two bytes.

• Transaction ID. is an unsigned integer that is randomly generated by the client, and the range is 0~2^16. This value is returned in the response header for validation. If the values are not equal, the response content is discarded.
• Flags. The meaning of each bit here is no longer mentioned, above caught please see, is marked recursive call this item.
• The number of queries questions. A DNS request can query multiple domain names, here only a domain name, so it is 1.
• Answer is the number of responses, and the number of responses inside the request must be 0. The remaining two are not currently available and do not have a specific meaning to study.

After the protocol header, it is the message body. In the request, the message body is the content of the request query, and in the response, it is the content of the query. The message body consists of three aspects: domain name, category, Category:

• Name. We want to query www.cyeam.com this domain name, respectively, with the . domain name is cut, and the DNS protocol design, with a clever way to remove the point, but before each part of the number of bits to add this part. Also, it is the end of the last byte that is 0, which indicates the name. Then the domain name will become 3www5cyeam3com0 like this.
• Type. Query type, there is a, CNAME and so on.
• Query classification, it seems to see all in. Both of these values are two bytes.

The header is 12 bytes, the message body uses 15+2+2=19 bytes, and the other one is 31 bytes. The table below is a 16 binary count, with 16 rows and 15 total. You can also be based on the protocol header and the content of the message body to see.

0000   11 ac 01 00 00 01 00 00 00 00 00 00 03 77 77 770010   05 63 79 65 61 6d 03 63 6f 6d 00 00 01 00 01

The header of the response is as follows:

Domain Name System (response) [Request in:1] [time:0.061714000 seconds] Transaction id:0x11ac flags:0x8180 Standard query response, No error1 .... = Response:message is a response.000 0 ....... ... = Opcode:standard query (0) ...... 0 ... = authoritative:server is not a authority for domain ....... 0 ... = Truncated:message is not a truncated ....... 1 ... = recursion desired:do query recursively ........ 1 ... = recursion available:server can do recursive queries ....... 0 ... = z:reserved (0) ........ 0 ... = Answer authenticated:answer/authority portion is not authenticated by the server ....... 0... = Non-authenticated data:unacceptable ....... 0000 = Reply Code:no error (0) questions:1 Answer rrs:2 Authority rrs:0 Additional rrs:0 querieswww.cy Eam.com:type A, class in Name:www.cyeam.com type:a (Host address) class:in (0x0001) Answerswww.cyeam.com: Type CNAME, class IN, CNAME vm68h.x.incapdns.net Name:www.cyeam.com type:cname (Canonical Name for an alias) Class:in (0x0001) Time to Live:10 seconds Data length:22 Primaryname:vm68h.x.incapdns.netvm68h.x.incapdns.net:type A, class in, a DDR 149.126.77.152 name:vm68h.x.incapdns.net type:a (Host address) class:in (0x0001) time to Live:3 minute s, Seconds Data length:4 addr:149.126.77.152 (149.126.77.152)

The meaning of the protocol header is consistent with the request. It is important to note that answer became 2 because two records were found. The message body also contains the contents of the requested queries, meaning the same as in the request. What's more is the content of the response.

The results of the query are made up of 5 parts:

• Name, which is the domain name of the query, two bytes.
• Type, record types, and the first one is the CNAME type. The corresponding value is 5. Two bytes.
• class, category, two bytes, value 1 (in).
• Data length. Two bytes.

• Primaryname, this is the point, mainly is to check this thing. If the above type is a CNAME type, then the resolution is interpreted in the same way as the domain name, and the same way the domain name is sent in the above request. If it is a, then the solution to the IP resolution, the Data length also corresponds to 4 (IPV4). A byte is a block in an IP, and then it is connected by dots. 16 binary is 95, 7e, 4d, 98, then to be able to read is 149.126.77.152.

  0000 One AC ba-yi-yi-yi-xx-05-00-6d 6f 6d XX (0) c00020 0c 1 xx 0a (6d) 380030-------------------6e 3 7e 4d0050 98

The packets captured above can be accessed from here. Originally wanted to write Golang language realization, too late, write tomorrow.

Reference documents

1. "Computer Network (fifth edition)" Shehiren
2. What is does a DNS request look like? -ServerFault

Original link: DNS protocol analysis, reproduced please specify the source!