If you missed the previous parts in this series please go read:
DNS, Resource Records and RCODE’s
We are now familiar with the domain name service at a high level. What we now need to do is become familiar with some specifics. To that end we will take a look at about a half dozen or so resource records, and explain what they mean. This will be done with example packets so that we can visualize them, vice simply read about them. The resource records we will cover below are in no specific order. On that note let’s get on with it!
Seen in the packets below are various non-routable IP’s, namely 192.168.1.200 and 192.168.1.100, which I put in place to substitute the real IP addresses that were in the packets. Lastly, I have included a selection of both RCODE’s and Resource Records for us to take a look at. With that said let’s take a look at our first packet, which contains an RCODE.
There is no such domain!
During your everyday surfing of the web it may happen that a link you click on fails to load the requested page. Well, just like in the real world of business, sometimes web sites will disappear for a variety of reasons. Bearing this in mind DNS needs a way of communicating this back to the client that originally made the request. This is done via a DNS RCODE ie: response code known as NX or non-existent domain. It means literally just that, there is no such domain to be found. Please note that I have snipped the below noted packet for brevity, and that in reality the length of the packet should have been 143 bytes as reflected in the “len 143” field highlighted below.
So with that said we can see that the DNS server located at 192.168.1.200 is telling 192.168.1.100 (who originally must have asked for DNS resolution on a domain) that the domain it wanted resolution on does not exist. The number that we see below ie: 17165 is the DNS transaction number, and allows the client requesting DNS resolution to keep track of what answer goes with what DNS request. After all, your computer is likely making quite a few DNS resolution requests, and having this number allows it to keep track of what belongs with what.
11:00:06.289070 192.168.1.200.53 > 192.168.1.100.155: 17165 NXDomain 0/1/0 (115) (ttl 58, id 43899, len 143)
0x0000 4500 008f ab7b 0000 3a11 26d7 c0a8 01c8 E….{..:.&…e.
0x0010 c0a8 0164 0035 009b 007b 3410 430d 8183 …..5…{4.C…
0x0020 0001 0000 0001 0000 xxxx xxxx xxxx xxxx ………xxxxxxx
0x0030 xxxx xxxx xxxx xxxx xxxx 6e2d 6164 6472 .xxxxx.in-addr
0x0040 0461 7270 6100 000c 0001 c014 0006 0001 .arpa………..
I want answers!
What we see below is an Answer resource record as evidenced by the underlined part seen below. Specifically the “A” corresponds to the “A” resource record. The A record is used to define an IP address. In our case below it is the IP address for the banner.paypopup.com domain. From the below we can deduce once again that 192.168.1.100 issued an “A?” request for the IP address of the banner.paypopup domain. This resource record is very common, and you would indeed see a lot of these were you sniffing your connection while you were surfing. Once again for brevities sake I have snipped part of the packet.
11:00:09.511821 192.168.1.200.53 > 192.168.1.100.155: 17170 1/5/5 banner.paypopup.com. A 66.48.78.203 (242) (ttl 58, id 47434, len 270)
0x0000 4500 010e b94a 0000 3a11 1889 c0a8 01c8 E….J..:…..e.
0x0010 c0a8 0164 0035 009b 00fa 4ae2 4312 8180 …..5….J.C…
0x0020 0001 0001 0005 0005 0662 616e 6e65 7208 ………banner.
0x0030 7061 7970 6f70 7570 0363 6f6d 0000 0100 paypopup.com….
0x0040 01c0 0c00 0100 0100 000d 7200 0442 304e ……….r..B0N
CNAME record
CNAME stands for canonical name, and is also a DNS resource record, much like the A resource record seen above. The CNAME resource record is used to indicate the true host name of a computer. There can however be more then one domain name that is associated with an IP address. In essence a computer can have a whole lot of aliases, which resolve to the one IP address, and that is why the CNAME record is there. The CNAME record must be in the DNS database for each alias.
11:00:11.484898 192.168.1.200.53 > 192.168.1.100.155: 17189 3/7/7 fpdownload.macromedia.com. CNAME fpdownload.macromedia.speedera.net., fpdownload.macromedia.speedera.net. A 216
.200.249.204, [|domain] (ttl 58, id 49656, len 375)
0x0000 4500 0177 c1f8 0000 3a11 0f72 c0a8 01c8 E..w….:..r..e.
0x0010 c0a8 0164 0035 009b 0163 16bb 4325 8180 …..5…c..C%..
0x0020 0001 0003 0007 0007 0a66 7064 6f77 6e6c ………fpdownl
0x0030 6f61 640a 6d61 6372 6f6d 6564 6961 0363 oad.macromedia.c
ServFail RCODE
Another cryptic packet you may encounter is the “ServFail” which is an RCODE just like the NXDomain is. What the ServFail tells you is that there was possibly an error experienced by the DNS server itself, or a timeout occurred during forwarding. This in reality is telling you that it could not honor your DNS request due to a server side issue in all likelihood.
01:04:37.291738 192.168.1.200.53 > 192.168.1.100.649: [udp sum ok] 60301 ServFail 0/0/0 (33) (ttl 58, id 25184, len 61)
0x0000 4500 003d 6260 0000 3a11 7043 c0a8 01c8 E..=b`..:.pC..e.
0x0010 c0a8 0164 0035 0289 0029 1266 eb8d 8182 …..5…).f….
0x0020 0001 0000 0000 0000 0b6d 7966 756e 6e79 ………myfunny
0x0030 6d61 696c 0363 6f6d 0000 1c00 01 mail.com…..
What does a DNS query look like?
Well so far we have looked at quite a few DNS responses, and have yet to actually look at a DNS query. Without further ado let’s take a look at what a query looks like. From the underlined portion below we can see the “A?” which means that 192.168.1.200 is asking for an Answer record from 192.168.1.100. In essence he is asking for an IP address for the domain listed after the “A?”.
We can see that we have an overall packet length of 61 as evidenced by the “len 61” which is also underlined below. Also we can see that we have thirty three data bytes in the packet as noted in the “(33)” also underlined below. Why is there a disparity between the two numbers you ask? Good question. Well we have an overall packet size of sixty one, and a data payload of thirty three. That makes for a difference of twenty eighty bytes. Where those twenty eight bytes are is twenty bytes for the IP header, and eight bytes for the UDP header. Once we add those in we are able to account for the overall packet size of sixty one.
09/06/2005 21:00:38.294185 192.168.1.200.32768 > 192.168.1.100.53: [udp sum ok] 56810 A? amextipe.opt.mr. (33) (DF) (ttl 254, id 27836, len 61)
0x0000 4500 003d 6cbc 4000 fe11 e2d4 c0a8 01c8 E..=l.@………
0x0010 c0a8 0164 8000 0035 0029 64c8 ddea 0000 R.Z….5.)d…..
0x0020 0001 0000 0000 0000 0861 6d65 7874 6970 ………amextip
0x0030 6503 6f70 7402 6d72 0000 0100 01 e.opt.mr…..
So we have covered so far several resource records and RCODE’s. This will wrap up part two of the DNS series. In part three we will wrap our coverage of DNS and till then, keep learning!
If you missed the previous parts in this series please go read:
