HakTip 129 – Wireshark 101: The Domain Name System

Today on HakTip, Shannon explains the DNS protocol, or Domain Name System, and how it pertains to use in Wireshark.

Download HD | Download MP4

DNS (Domain Name System) is the reason why when you type in a website like google.com, it goes to their IP address. This way you don’t have to memorize a bunch of numbers to take you where you wanna go on the internet. To view all the different type of DNS traffic you might run into, go to this site to see more.

Whenever you look at a DNS packet, you’ll run into a bunch of information.
First we have a DNS ID Number to associate queries with responses, then whether it’s a query or a response. Next is an OpCode (what type of query it is), and Authoritative Answers (if the response packet is from a name server). Next is TC for Truncation if the response is too big to fit in a packet, and RD for Recursion Desired, which means the name server will support recursive queries. Z stands for Reserved, usually set to all zeros, but can be used by the RCode field below it as an extension. Response Code shows you any errors, Question count show you the number of entries in the “Question” section, Answer count is the same for answers, and Name server count shows you the number of name server resource records found in the authority section, if available.

Add’tl records count shows you the number of other resource records in the Addit’l info section, Questions has queries that will be sent to the DNS server, Answers will answer queries, authority is a section that will have resource records for authoritative name servers used to continue the resolution process, and lastly is the addit’l info section.

That’s a lot of sections!

DNS is also a question/response format, similar to other protocols. The client asks for an IP address from the DNS server, the server sends back info as a response. In it’s simplest form, DNS only has two packets. You’ll see a few different Resource Record Types whenever you look at one of these packets including A for an IPv4 host address, NS for a name server, TXT for a text string, and so on. More can be found by checking the IANA site.

Now for some more info on recursion. This happens when the DNS server acts like a client to further on the packet in order to find an IP address of an outside site, like when you visit google.com or hak5.wpengine.com. Under the recursion desired label, it’ll say “Do query recursively”. If the DNS server doesn’t know which IP belongs to a www site, it’ll continue on the packet to another DNS server. Depending on where the sites server is located, the query can travel through many DNS servers until it finds the correct IP and sends it back to you.

Lastly, lets talk a bit about Zones. Hak5 has a bunch of different DNS servers for our stuff, like hak5.wpengine.com is on a DNS server, and our email is on another server, and we have another DNS server set up to maintain a copy of Hak5.org… and so on. These servers are called zones, and they are the authorities for the sub-domains. A Zone Transfer might occur if a company like Hak5 wants to keep the domain redundant on another server. There can be a Full Zone Transfer or a Incremental Zone Transfer, either meaning the entire zone is transferred, or just parts of it. Zone Transfers run on TCP over UDP, with DNS, because of the size of the packet- TCP ends up being more reliable. In Wireshark, this would be seen under Type: stating it as a AFXR or Full Zone Transfer.

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>