Wireshark-dns Data Report Analysis

DNS: Domain Name System

DNS is a distributed service system that provides mutual mapping of IP addresses and domain names on the Internet. The IP address can be used to obtain the corresponding domain name, you can also obtain IP through the domain name, so that you can not remember the hard-to-remember IP.
The DNS service in our actual network is provided by the network operator. Most regions have a corresponding domain name server. 114.114.114.114 is a public DNS server where DNS services can be obtained from this server.
The domain name is passed. To distinguish between different levels, the last level of which is top-level domain name such as: Com,edu,org and so on. The assignment of a domain name is done through an authorized agency.
CMD can be queried by Nslookup in the local DNS server Ip,linux general application host can be domain name and IP resolution.

DNS:DNS Message Format

DNS is an application layer protocol, based on TCP/IP transmission, the general DNS message Transport layer is a UDP message. The following is the format of the DNS message:
　　

The DNS message consists of a 12-byte header and 4 variable-length fields.

Identity field: set by the client and return results from the server. The client program uses it to determine whether the response matches the query. (Can be treated as message ID)
Flag field: Defines various flag bits.
Number of issues, number of resource records, number of authorized resource records, and number of additional resource records.

Part of the problem in DNS query messages

The query name is the name to look for, and it is a sequence of one or more identifiers. The count value of each identifier in the first byte
To illustrate the byte length of the subsequent identifier, with each name ending with a last byte of 0 and an identifier of length 0 as the root identifier. The actual storage structure is illustrated by the following:

Each problem has a query type, and each response also has a type. This type indicates the type of service to be performed, typically a (IP address query).

The query class is usually 1, which refers to the Internet address.

Resource record section in DNS response messages

The last three fields in the DNS message, the answer fields, the authorization fields, and the additional information fields are in the same format called the resource record RR (Resource record).

The domain name is the name that corresponds to the resource data in the record. It has the same format as the Query Name field described earlier.
　　
Type indicates the type code of the RR. Its value is the same as the value of the query type described earlier. Class is typically 1, which refers to Internet data.
　　
The time to live field is the number of seconds that the client program retains the resource record. Resource records typically have a time-to-live value of 2 days.

Resource data length describes the amount of resource data. The format of the data depends on the value of the Type field. For Type 1 (a record) resource data is a 4-byte IP address.

More detailed structure reference: http://blog.chinaunix.net/uid-24875436-id-3088461.html
OR: TCP/IP detailed volume 1-dns domain Name System.

The following through Wireshark crawl DNS packets to actually understand the data structure of DNS, here analysis to get Baidu IP DNS query and response packet.

The transaction ID in the figure is the identification number, which indicates that the corresponding frame number returned is 1526, and the identification number of the query datagram and the corresponding response datagram is the same. Take a look at the actual data.

Here is the response message:

You can see here the transaction ID is the same as above. In response, in addition to the problem data segment, there are answer data segments. Each corresponds to the DNS resource record format described above.

Wireshark-dns Data Report Analysis