Using tcpdump to observe the DNS communication process

1. Introduction to DNS:

We usually use the machine's domain name to access the machine, not directly using its IP address, such as access to various web sites on the Internet. So how to convert the domain name of the machine to IP address. This requires the use of the Domain name Query service. Domain Name query services are implemented in a variety of ways, such as NIS (Network Information Service, Network information Services), DNS, and local static files. Mainly discusses DNS.
DNS is a set of distributed Domain Name Service system. A large number of mappings of machine names and IP addresses are stored on each DNS server and are dynamically updated. Many network client programs use the DNS protocol to query the DNS server for the IP address of the target host.

Linux uses the/etc/resolv.conf file to store the IP address of the DNS server.

2. Use of Host program:

Linux's next common client program for accessing DNS servers is host, for example, the following command is to query the preferred DNS server for the IP address of the machine www.baidu.com:

The output of the host command tells us that the machine name Www.baidu.com is an alias for www.a.shifen.com, and that the machine name corresponds to two IP addresses. The host command uses the DNS protocol and the DNS server to communicate, and its-t option tells the DNS protocol which type of query to use. We are using the type A, which obtains its IP address through the domain name of the machine (but the resource record returned actually contains the machine alias).

3. Tcpdump monitoring data in order to see clearly the process of DNS communication, We will run the host command from the hosts 1:192.168.0.141 to query the IP address of the host www.jd.com and use tcpdump to crawl the Ethernet frames transmitted over the LAN during this process.
The specific operation process is as follows:

# tcpdump-i eth0-nt-s Port Domain

Then enter the following command in a different terminal: #host-T-a www.jd.com

The following figure is the output data for host-t A www.jd.com:

The following figure is the data that the Tcpdump monitor hears:

Where the IP address 192.168.0.1 is the address of the default gateway.

root@linux_ever:~# Route
Kernel IP routing Table
Target Gateway Subnet Mask flag Hop reference use interface
Default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 1 0 0 eth0
4. Analysis of the data

This time the execution of the tcpdump grab package, we use "Port domain" to filter packets, indicating that only the use of Domain Name service packets, that is, DNS queries and response messages. Tcpdump output is as follows: IP 192.168.0.141.53511 > 192.168.0.1.53:65362+ a? www.jd.com
IP 192.168.0.1.53 > 192.168.0.141.53511:65362 2/0/0 CNAME www.jdcdn.com., A 14.152.71.1
The "IP" that begins with these two packets indicates that the content behind them describes the IP datagram. Tcpdump describes one end of the communication in the form of an IP address. Port number, and ">" indicates the direction of the data transfer, and the ">" front is the source, followed by the end. Visible The first packet is the DNS query message that test host 1 (IP address is 192.168.0.141) sends to its preferred DNS server (IP address is 192.168.0.1.53) (Destination port 53 is the port used by the DNS service), and the second packet is the DNS response message for server feedback.