DNS-(Domain Name System,域名系统),是因特网上作为余名和IP地址相互映射的一个分布式数据库,能够使用户更加方便地访问互联网,而不是去记住能够被机器直接读取的IP数串。通过主机名,从而得到主机名对应的IP地址的过程叫做余名解析或者主机名解析。DNS运行在UDP协议之上,使用端口号53。
这里主要说明DNS如何使用wireshark抓包定位的,关于什么是DNS可以结合百度百科看下,已经写的很详细了。简单的来说域名就是你家地址浙江杭州滨江…,要把邮件寄到你家但是电脑不能直接识别地址就需要转换成东经多少北纬多少的IP地址,这个转换工作由DNS完成,DNS根服务器,其他的镜像服务器根据根服务器来进行地址转换.
DNS有称为IP翻译官,其具体工作流程如下:
Local Host | Foreign | +---------+ +----------+ | +--------+ | | user queries | |queries | | | | User |-------------->| |---------|->|Foreign | | Program | | Resolver | | | Name | | |<--------------| |<--------|--| Server | | | user responses| |responses| | | +---------+ +----------+ | +--------+ | A | cache additions | | references | V | | +----------+ | | cache | | +----------+ |举例:
DNS的两种查询方式
递归查询,主机向本地域名服务器的查询一般都是采用递归查询,如果主机所询问的本地域名服务器不指定被查询的域名的IP地址,那么本地域名服务器就以客户的身份,向其他根域名服务器继续发出查询请求报文。迭代查询,本地域名服务器向根域名服务器的查询通常采用迭代查询,当根域名服务器收到本地域名服务器的查询请求报文时,要么给出要查询的IP地址,要么告诉本地域名服务器下一步向那个域名服务器进行查询,然后让本地域名服务器进行后续的查询。DNS常用问题类型
DNS查询和相应中所使用的类型域,指明了这个查询或者响应的资源记录类型。
值类型描述1AIPv4主机地址2NS权威域名服务器5CNAME规范别名,定义主机正式名字的别名12PTR指针,把IP地址转换为域名15MX邮件交换记录,用于电子邮件系统发送邮件根据收件人的地址后缀定位邮件服务器16TXT文本字符串28AAAAIPv6主机地址251IXFR增量区域传送252AXFR完整区域传送捕获DNS数据
开启wireshark开始抓包,然后使用dig触发一个DNS查询
dig www.baidu.com命令dig的常用方式和说明
dig DNS Lookup utility. - Lookup the IP(s) associated with a hostname (A records): dig +short {{example.com}} - Lookup the mail server(s) associated with a given domain name (MX record): dig +short {{example.com}} MX - Get all types of records for a given domain name: dig {{example.com}} ANY - Specify an alternate DNS server to query: dig @{{8.8.8.8}} {{example.com}} - Perform a reverse DNS lookup on an IP address (PTR record): dig -x {{8.8.8.8}} - Find authoritative name servers for the zone and display SOA records: dig +nssearch {{example.com}} - Perform iterative queries and display the entire trace path to resolve a domain name: dig +trace {{example.com}}DNS报文格式解析
1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ DNS ID号:用来对应DNS查询和DNS响应查询/响应(Query/Response):用来指明这个报文是DNS查询还是响应,占1比特位,1表示是响应,0表示是查询操作代码OpCode: 用来定义消息中请求的类型,占4比特位AA: 权威应答,如果设置了这个位,这说明这个响应是由权威域名服务器发出的,占1比特位。TC:截断,由于响应时间太长,无法接入报文而被截断。该标志为1时说明响应已经超过512字节并已被截断期望递归(Recursion Desired,RD):请求中设定了这个值,说明DNS客户端在目标域名服务器不含有所请求信息的情况下,要求进行递归查询。RA: 可用递归,当设置了这个值,说明域名服务器支持递归查询。保留Z: 全部设置为0,但是有时候会作为RCODE位的扩展RCODE: Response Code 响应代码,在DNS响应中,用来指明错误,占4个比特位。 含义如下: 0表示没有错误1表示个数错误2表示域名服务器上存在问题3表示域参数问题4表示类型不支持5表示管理上被禁止6-15表示保留 QDCOUNT:问题计数,在问题区段中的条目数ANCOUNT: 在回答区段中的条目数NSCOUNT: 域名服务器计数,在权威区段的域名资源记录数ARCOUNT: 再额外信息区段中的其他资源记录数报文说明
Domain Name System (query) Transaction ID: 0x9ad0 #事务ID Flags: 0x0000 Standard query #报文中的标志字段 0... .... .... .... = Response: Message is a query #QR字段, 值为0, 因为是一个请求包 .000 0... .... .... = Opcode: Standard query (0) #Opcode字段, 值为0, 因为是标准查询 .... ..0. .... .... = Truncated: Message is not truncated #TC字段 .... ...0 .... .... = Recursion desired: Don't do query recursively #RD字段 .... .... .0.. .... = Z: reserved (0) #保留字段, 值为0 .... .... ...0 .... = Non-authenticated data: Unacceptable #保留字段, 值为0 Questions: 1 #问题计数, 这里有1个问题 Answer RRs: 0 #回答资源记录数 Authority RRs: 0 #权威名称服务器计数 Additional RRs: 0 #附加资源记录数协议交互过程报文
Frame 5: 87 bytes on wire (696 bits), 87 bytes captured (696 bits) on interface wlp4s0, id 0 Ethernet II, Src: Chongqin_e1:18:a9 (40:23:43:e1:18:a9), Dst: HIWIFI_65:b0:40 (d4:ee:07:65:b0:40) Internet Protocol Version 4, Src: 192.168.199.235, Dst: 192.168.199.1 User Datagram Protocol, Src Port: 36025, Dst Port: 53 Domain Name System (query) # DNS协议 Transaction ID: 0x9f1c # 事务ID编号 Flags: 0x0100 Standard query 0... .... .... .... = Response: Message is a query # DNS查询 .000 0... .... .... = Opcode: Standard query (0) #操作代码 .... ..0. .... .... = Truncated: Message is not truncated #截断 .... ...1 .... .... = Recursion desired: Do query recursively #期望递归 .... .... .0.. .... = Z: reserved (0) .... .... ...0 .... = Non-authenticated data: Unacceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries www.a.shifen.com: type A, class IN Name: www.a.shifen.com [Name Length: 16] [Label Count: 4] Type: A (Host Address) (1) Class: IN (0x0001) Additional records <Root>: type OPT [Response In: 6] No. Time Source Destination Protocol Length Info 6 0.013373576 192.168.199.1 192.168.199.235 DNS 289 Standard query response 0x9f1c A www.a.shifen.com A 180.101.49.12 A 180.101.49.11 NS ns3.a.shifen.com NS ns4.a.shifen.com NS ns5.a.shifen.com NS ns1.a.shifen.com NS ns2.a.shifen.com A 61.135.165.224 A 220.181.33.32 A 112.80.255.253 A 14.215.177.229 A 180.76.76.95 OPT Frame 6: 289 bytes on wire (2312 bits), 289 bytes captured (2312 bits) on interface wlp4s0, id 0 Ethernet II, Src: HIWIFI_65:b0:40 (d4:ee:07:65:b0:40), Dst: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) Internet Protocol Version 4, Src: 192.168.199.1, Dst: 192.168.199.235 User Datagram Protocol, Src Port: 53, Dst Port: 36025 Domain Name System (response) Transaction ID: 0x9f1c Flags: 0x8180 Standard query response, No error 1... .... .... .... = Response: Message is a response #DNS回复 .000 0... .... .... = Opcode: Standard query (0) .... .0.. .... .... = Authoritative: Server is not an authority for domain # 非权威应答 .... ..0. .... .... = Truncated: Message is not truncated .... ...1 .... .... = Recursion desired: Do query recursively .... .... 1... .... = Recursion available: Server can do recursive queries #服务支持递归查询 .... .... .0.. .... = Z: reserved (0) .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server .... .... ...0 .... = Non-authenticated data: Unacceptable .... .... .... 0000 = Reply code: No error (0) Questions: 1 Answer RRs: 2 Authority RRs: 5 Additional RRs: 6 Queries www.a.shifen.com: type A, class IN Name: www.a.shifen.com [Name Length: 16] [Label Count: 4] Type: A (Host Address) (1) Class: IN (0x0001) Answers www.a.shifen.com: type A, class IN, addr 180.101.49.12 www.a.shifen.com: type A, class IN, addr 180.101.49.11 Authoritative nameservers a.shifen.com: type NS, class IN, ns ns3.a.shifen.com a.shifen.com: type NS, class IN, ns ns4.a.shifen.com a.shifen.com: type NS, class IN, ns ns5.a.shifen.com a.shifen.com: type NS, class IN, ns ns1.a.shifen.com a.shifen.com: type NS, class IN, ns ns2.a.shifen.com Additional records ns1.a.shifen.com: type A, class IN, addr 61.135.165.224 ns2.a.shifen.com: type A, class IN, addr 220.181.33.32 ns3.a.shifen.com: type A, class IN, addr 112.80.255.253 ns4.a.shifen.com: type A, class IN, addr 14.215.177.229 ns5.a.shifen.com: type A, class IN, addr 180.76.76.95 <Root>: type OPT [Request In: 5] [Time: 0.013373576 seconds]