DNS protocol details

DNS protocol details

I. Preface
The new version of Foxmail provides the "express mail" function. At first, I did not know how to use it. Later I learned to set the IP address of the local DNS server in tools> System Options.
I think this new function is quite useful. You do not need to use the SMTP proxy to directly send emails to the mail exchanger in which the mailbox is located. At the beginning of the summer vacation, I want to implement this function in VC ++. After capturing the package with Iris, I found that mx8.263.net sent an email after the program, so I don't know what this is. It was later thought that this was the 263.net MX record host. The original principle of express delivery was to send data to this host.
Run the NSLookup program:
Set type = mx
263. net
If yes, the result is as follows:
Non-Authoritative Answer:
263. Net MX preference = 10, mail exchanger = mx06.263.net
263. Net MX preference = 10, mail exchanger = mx08.263.net
263. Net MX preference = 10, mail exchanger = mx09.263.net
263. Net MX preference = 10, mail exchanger = mx11.263.net
263. Net MX preference = 10, mail exchanger = mx12.263.net
263. Net MX preference = 40, mail exchanger = mx03.263.net
263. Net MX preference = 10, mail exchanger = mx01.263.net
No error. That's it. Later, I gave up on NSLookup and learned C # For more than half a month #. Later, I found some related documents on the Internet. Lab times. I shared my development process. I wrote the tutorial document for the first time. Please forgive us for any irregularities. The domain name, email address, and IP address involved in this article are all real.

Ii. DNS protocol principles
In my opinion, to become a good network software programmer, you must read the RFC document. This article is intended for a wide range of programmers, so I try to write it in detail. If you are a master, skip this section.
RFC documents for the DNS protocol:
Rfc1034-domain names-Concepts and facilities
Rfc1035-domain names-implementation and Specification
A computer on the Internet uses a digital string, such as 220.162.75.1, as an IP address to identify a computer. If every time I access a computer, I access it through something like this, isn't that terrible? To be out of the DNS such a good stuff, with to instruct its bound IP address, when we enter the http://zzsy.com in the browser, the browser does not know where to get the web page, then, the domain name zzsy.com is queried from the configured DNS server. The DNS server first looks for its own record library. If no record is found, it will go to the upper-level DNS server for query (forwarding requests ). Inform your browser of the IP address. Here, the record type queried by the browser is a record. Rfc1035 there are 16 types of records defined on page 11th, and common records include a (Address) record, cname (alias) record, and MX (mail exchange) record. This article focuses on MX records.
The query process is generally: the customer sends a UDP packet to port 53 of the DNS server. After receiving the packet, the DNS server processes the packet and returns the result record as a UDP packet.
The general format of this UDP message:

+ --------------------- +
| Packet header |
+ --------------------- +
| Problem | query submitted to the server
+ --------------------- +
| Answer | resource record replied by the server
+ --------------------- +
| Authorization | authoritative resource records
+ --------------------- +
| Exclusive resource records
+ --------------------- +

Except that the packet header is a fixed 12 bytes, the length of each part is an indefinite number of bytes.
We are concerned about the packet header, question, and answer.

The packet header format:


1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ -- +
| ID |
+ -- +
| QR | opcode | AA | TC | RD | Ra | z | RCODE |
+ -- +
| Qdcount |
+ -- +
| Ancount |
+ -- +
| Nscount |
+ -- +
| Arcount |
+ -- +

Good guy, what is it!
The top part is the digit ID at the top, 0-15 (Note: 10-15 behind is written in the upper and lower forms. I didn't understand it at first ).
Next:
ID: 16 bits in 2 bytes. The number of the message, which is specified by the client. This identifier is included in the DNS response to indicate that the corresponding request must be processed.
Qr: occupies 1 digit, 1/8 bytes. 0 indicates query, 1 indicates DNS reply
Opcode: 4 bits, 1/2 bytes. Indicates the query type: 0: standard query; 1: reverse query; 2: server status query; 3-15: unused.
AA: occupies 1 digit, 1/8 bytes. Whether to send an authoritative response.
TC: occupies 1 digit, 1/8 bytes. Because a UDP packet is 512 bytes, this bit indicates whether to cut over the part.
RD: occupies 1 digit, 1/8 bytes. This bit is specified in the query and is the same in the response. Set to 1 to indicate that the server performs recursive queries.
RA: occupies 1 digit, 1/8 bytes. The DNS server supports recursive queries.
Z: 3-bit, 3/8 bytes. Reserved field, which must be set to 0.
RCODE: 4 bits, 1/2 bytes. The return code specified during the reply is 0: no error; 1: Incorrect format; 2: DNS error; 3: The domain name does not exist; 4: DNS does not support such queries; 5: DNS rejects queries; 6-15: reserved fields.
Qdcount: 16 bits, 2 bytes. An unsigned number indicates the number of query records.
Ancount: 16 characters in 2 bytes. An unsigned number indicates the number of reply records.
Nscount: 16 bits, 2 bytes. An unsigned number indicates the number of authoritative records.
Arcount: 16 digits, 2 bytes. An unsigned number indicates the number of exceptional records.

The format of each query resource record is as follows:


1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ -- +
|
/QNAME/
//
+ -- +
| Qtype |
+ -- +
| Qclass |
+ -- +
QNAME: The domain name to be queried. (The square on both sides is expressed)
Qtype: 2 bytes. According to the help documents of rfc1035 and NSlookup, I define the following enumerated types:
Enum querytype // type of the queried resource record.
{
A = 0x01, // specify the IP address of the computer.
NS = 0x02, // specify the DNS name server used for the naming area.
MD = 0x03, // specify the email receiving site (this type is out of date and is replaced by MX)
Mf = 0x04, // specify the Mail Transfer Station (this type is out of date and is replaced by MX)
Cname = 0x05, // specify the canonical name for the alias.
SOA = 0x06, // specify the "Starting authority" for the DNS region ".
MB = 0x07, // specify the email domain name.
Mg = 0x08, // specify the contact list members.
Mr = 0x09, // specify the email to rename the domain name.
Null = 0x0a, // specify an empty resource record
Wks = 0x0b, // describes known services.
PTR = 0x0c, // If the query is an IP address, specify the computer name; otherwise, specify a pointer to other information.
HINFO = 0x0d, // specify the CPU and operating system type of the computer.
Minfo = 0x0e, // specifies the email address or email list information.
MX = 0x0f, // specify the email exchanger.
TXT = 0x10, // specify text information.
Aaaa = 0x1c, // IPv6 resource record.
Uinfo = 0x64, // specify the user information.
Uid = 0x65, // specify the user ID.
Gid = 0x66, // group ID of the specified group name.
Any = 0xff // specify all data types.
};
Qtype: 2 bytes. According to the help documents of rfc1035 and NSlookup, I define the following enumeration types:
Enum queryclass // protocol group with specified information.
{
In = 0x01, // specify the internet category.
Csnet = 0x02, // specify the csnet category. (Expired)
Chaos = 0x03, // specify the chaos category.
Hesiod = 0x04, // specify the MIT Athena Hesiod category.
Any = 0xff // specify any previously listed wildcard.
};

In qtype, A, MX, cname are commonly used, and in qclass is commonly used.

The format of each response is as follows:


1 1 1 1 1
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+ -- +
|
//
/Name/
|
+ -- +
| Type |
+ -- +
| Class |
+ -- +
| TTL |
|
+ -- +
| Rdlength |
+ -- |
/RDATA/
//
+ -- +

Name: The domain name to be queried. It may not be long.
Type: Type of the reply. 2 bytes, which is synonymous with query. Indicates the type of resource record in RDATA.
Class: The reply class. 2 bytes, which is synonymous with query. Indicates the resource record class in RDATA.
TTL: time to live. 4 bytes, indicating the cache survival time of resource records in RDATA.
Rdlength: length. 2 bytes, indicating the length of the RDATA block.
RDATA: resource record. Not defined. The records vary according to the type, generally, an MX record consists of a 2-byte priority value indicating the email exchanger and an indefinite email exchanger name.

This section describes the combination of names. The name is composed of multiple ID sequences. the first byte of each ID sequence indicates the length of the identifier, followed by ASCII code. After multiple sequences, the name ends by byte 0. If the length of the first character of a specific sequence is 0xc0, it indicates that the next byte indicates not the sequence of identifiers, but the offset position of the next part in the current receiving package.
For example, bbs.zzsy.com separates BBS, zzsy, and com from. The length of each part is 3, 4, and 3.
In the form of DNS packets, such as 3 B S 4 Z S Y 3 c o m 0
Suppose there is a name like 4 z s y 3 c o m 0 in the 12th bytes of the package.
It may be 3 B S 4 Z S Y 0xc0 0x0c.

Iii. DNS protocol examples
After talking about so many theoretical stories, there may be two big ones in the first place. Use an instance method to describe it.
I use the famous network packet capture and protocol analysis tool Iris 4.05, you can download from my site:
Http://itboy.cn/data/Iris405Full.rar
Run Iris and click the filters Select Port tab in the menu to apply port 53 and click OK.
Click the green running icon on the iris toolbar to listen.

Run the NSLookup program in windows.
Enter the following command:
Set type = mx
Then the NSLookup program is returned.
Run the following command:
Yahoo.com.cn
Will get
Yahoo.com.cn MX preference = 20, mail exchanger = mx5.mail.yahoo.com
Yahoo.com.cn MX preference = 10, mail exchanger = mta-v1.mail.

========================================================== ==================================

DNS message format:

The message consists of a 12-byte header and four variable-length fields.
IdentifierThe field is set by the client program and the server returns the result.
16-bitFlagThe fields are as follows:

Qr: 0 indicates the query message, and 1 indicates the Response Message.
Opcode: Usually the value is 0 (standard query), other values are 1 (reverse query) and 2 (server status requests ).
AA: authoritative answer ).
TC: Truncated)
RD: Indicates expected Recursion
RA: indicates that recursion is available.
Then the 3bit value must be 0.
RCODE: return code, usually 0 (no error) and 3 (name error)
The last four 16-bit fields indicate the number of entries in the last four variable-length fields.

Problem section:
Message format:

The query name is the name to be searched. It consists of one or more identifiers. The length of each marker ending with 0. The Count bytes must be 0 ~ Between 63. This field does not need to be filled in bytes. Example: gemini.tuc.noao.edu

Each question has a query type. Generally, the query type is a (obtained by the name of the IP address) or PTR (obtained the domain name corresponding to the IP address)
Resource record:
Message format:
The last three DNS fields are the answer fields. The authorization fields and additional information fields are in the same format as the resource record RR (resource record.

The domain name is the name corresponding to the resource data in the record. It is in the same format as the query name segment.
Type description: The type code of R. Class is usually 1, which refers to I n t e r n e t data.
The survival time field is the number of seconds that the customer program retains the resource record.
The length of resource data indicates the number of resource data. The data format depends on the value of the type field. Resource Data of type 1 (a record) is a 4-byte I P address.

Data Packet DNS query: (DNS query)
0000 00 19 56 6e 19 BF 00 17 A4 1A B2 E0 08 00 45 00... VN ...... E.
0010 00 3B ed C6 00 00 80 11 E3 C3 AC 15 0f 04 AC 15 .;..............
0020 01 F9 04 A9 00 35 00 27 2f BD 3E 3A 01 00 00 01 ...... 5 .. '/> :....
0030 00 00 00 00 00 03 77 77 06 67 6f 6f 67 6C ...... W ww. googl
0040 65 02 63 6e 00 00 01 01 e.cn .....
Note:
The first three sections are Ethernet headers, IP headers, and UDP headers.
The DNS data packet starts from the end of Row 3.
3E 3AIs the Identifier Field
01 00Indicates the flag field. If TC is set for this field, the message can be truncated.
00 01The number of Query Packets is 1.
00 00 00 00 00 00Indicates the answer. The authorization and additional information are both 0.
03 77 77 77 06 67 6f 6f 67 6C 65 02 63 6e 00Indicates that the query name is
Www.google.com
00 01Type, 1 indicates a query
00 01Is a class, and 1 indicates Internet data.

Packet DNS response (DNS response)
0000 00 17 A4 1A B2 E0 00 19 56 6e 19 BF 08 00 45 00 ...... VN ...... E.
0010 00 78 48 af 00 00 7d 11 8B 9e AC 15 01 F9 AC 15. XH ...}.........
0020 0f 04 00 35 04 A9 00 64 75 dB 3E 3A 81 80 00 01... 5... d u...> :....
0030 00 03 00 00 00 00 03 77 77 06 67 6f 6f 67 6C ...... W ww. googl
0040 65 02 63 6e 00 00 01 00 01 C0 0C 00 05 00 01 00 e.cn ............
0050 00 05 42 00 11 02 63 6e 01 6C 06 67 6f 6f 67 6C .. B ..cn. L. googl
0060 65 03 63 6f 6D 00 C0 2B 00 01 00 00 00 00 5f e.com... + ......._
0070 00 04 CB D0 21 65 C0 2B 00 01 00 00 00 00 5f ....! E. + ......._
0080 00 04 CB D0 21 64 ....! D
Note:
The first three sections are Ethernet headers, IP headers, and UDP headers.
3E 3AIs the Identifier Field
81 80Set QR = 1, RD = 1, Ra = 1
00 01 number of questions 1. 00 03 number of answers 3, and the remaining two are 0.
03 77 77 77 06 67 6f 6f 67 6C 65 02 63 6e 00Indicates that the query name is
Www.google.com
00 01Type, 1 indicates a query
00 01Is a class, and 1 indicates Internet data.
Next is the response message,
C0 0C is the domain name pointer
00 05 indicates cname (canonical name)
00 01 class, indicating Internet Data
00 00 05 42 survival time
00 11 Data Length
02 63 6e 01 6C 06 67 6f 6f 67 6C 65 03 63 6f 6D 00 data cn.l.google.cn
The next two paragraphs are the other two answers.
The last data is the IP address.

From: http://blog.chinaunix.net/uid-12077794-id-91657.html

DNS protocol details