DNS抓包分析--wireshark
生活随笔
收集整理的這篇文章主要介紹了
DNS抓包分析--wireshark
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
DNS抓包分析–wireshark
DNS-(Domain Name System,域名系統(tǒng)),是因特網(wǎng)上作為余名和IP地址相互映射的一個(gè)分布式數(shù)據(jù)庫,能夠使用戶更加方便地訪問互聯(lián)網(wǎng),而不是去記住能夠被機(jī)器直接讀取的IP數(shù)串。通過主機(jī)名,從而得到主機(jī)名對(duì)應(yīng)的IP地址的過程叫做余名解析或者主機(jī)名解析。DNS運(yùn)行在UDP協(xié)議之上,使用端口號(hào)53。
這里主要說明DNS如何使用wireshark抓包定位的,關(guān)于什么是DNS可以結(jié)合百度百科看下,已經(jīng)寫的很詳細(xì)了。簡(jiǎn)單的來說域名就是你家地址浙江杭州濱江…,要把郵件寄到你家但是電腦不能直接識(shí)別地址就需要轉(zhuǎn)換成東經(jīng)多少北緯多少的IP地址,這個(gè)轉(zhuǎn)換工作由DNS完成,DNS根服務(wù)器,其他的鏡像服務(wù)器根據(jù)根服務(wù)器來進(jìn)行地址轉(zhuǎn)換.
DNS有稱為IP翻譯官,其具體工作流程如下:
Local Host | Foreign|+---------+ +----------+ | +--------+| | user queries | |queries | | || User |-------------->| |---------|->|Foreign || Program | | Resolver | | | Name || |<--------------| |<--------|--| Server || | user responses| |responses| | |+---------+ +----------+ | +--------+| A |cache additions | | references |V | |+----------+ || cache | |+----------+ |舉例:
DNS的兩種查詢方式
- 遞歸查詢,主機(jī)向本地域名服務(wù)器的查詢一般都是采用遞歸查詢,如果主機(jī)所詢問的本地域名服務(wù)器不指定被查詢的域名的IP地址,那么本地域名服務(wù)器就以客戶的身份,向其他根域名服務(wù)器繼續(xù)發(fā)出查詢請(qǐng)求報(bào)文。
- 迭代查詢,本地域名服務(wù)器向根域名服務(wù)器的查詢通常采用迭代查詢,當(dāng)根域名服務(wù)器收到本地域名服務(wù)器的查詢請(qǐng)求報(bào)文時(shí),要么給出要查詢的IP地址,要么告訴本地域名服務(wù)器下一步向那個(gè)域名服務(wù)器進(jìn)行查詢,然后讓本地域名服務(wù)器進(jìn)行后續(xù)的查詢。
DNS常用問題類型
DNS查詢和相應(yīng)中所使用的類型域,指明了這個(gè)查詢或者響應(yīng)的資源記錄類型。
| 1 | A | IPv4主機(jī)地址 |
| 2 | NS | 權(quán)威域名服務(wù)器 |
| 5 | CNAME | 規(guī)范別名,定義主機(jī)正式名字的別名 |
| 12 | PTR | 指針,把IP地址轉(zhuǎn)換為域名 |
| 15 | MX | 郵件交換記錄,用于電子郵件系統(tǒng)發(fā)送 郵件根據(jù)收件人的地址后綴 定位郵件服務(wù)器 |
| 16 | TXT | 文本字符串 |
| 28 | AAAA | IPv6主機(jī)地址 |
| 251 | IXFR | 增量區(qū)域傳送 |
| 252 | AXFR | 完整區(qū)域傳送 |
捕獲DNS數(shù)據(jù)
開啟wireshark開始抓包,然后使用dig觸發(fā)一個(gè)DNS查詢
dig www.baidu.com命令dig的常用方式和說明
dig DNS Lookup utility.- Lookup the IP(s) associated with a hostname (A records):dig +short {{example.com}}- Lookup the mail server(s) associated with a given domain name (MX record):dig +short {{example.com}} MX- Get all types of records for a given domain name:dig {{example.com}} ANY- Specify an alternate DNS server to query:dig @{{8.8.8.8}} {{example.com}}- Perform a reverse DNS lookup on an IP address (PTR record):dig -x {{8.8.8.8}}- Find authoritative name servers for the zone and display SOA records:dig +nssearch {{example.com}}- Perform iterative queries and display the entire trace path to resolve a domain name:dig +trace {{example.com}}DNS報(bào)文格式解析
1 1 1 1 1 10 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| ID |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+|QR| Opcode |AA|TC|RD|RA| Z | RCODE |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| QDCOUNT |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| ANCOUNT |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| NSCOUNT |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+| ARCOUNT |+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+- DNS ID號(hào):用來對(duì)應(yīng)DNS查詢和DNS響應(yīng)
- 查詢/響應(yīng)(Query/Response):用來指明這個(gè)報(bào)文是DNS查詢還是響應(yīng),占1比特位,1表示是響應(yīng),0表示是查詢
- 操作代碼OpCode: 用來定義消息中請(qǐng)求的類型,占4比特位
- AA: 權(quán)威應(yīng)答,如果設(shè)置了這個(gè)位,這說明這個(gè)響應(yīng)是由權(quán)威域名服務(wù)器發(fā)出的,占1比特位。
- TC:截?cái)?#xff0c;由于響應(yīng)時(shí)間太長,無法接入報(bào)文而被截?cái)唷T摌?biāo)志為1時(shí)說明響應(yīng)已經(jīng)超過512字節(jié)并已被截?cái)?/li>
- 期望遞歸(Recursion Desired,RD):請(qǐng)求中設(shè)定了這個(gè)值,說明DNS客戶端在目標(biāo)域名服務(wù)器不含有所請(qǐng)求信息的情況下,要求進(jìn)行遞歸查詢。
- RA: 可用遞歸,當(dāng)設(shè)置了這個(gè)值,說明域名服務(wù)器支持遞歸查詢。
- 保留Z: 全部設(shè)置為0,但是有時(shí)候會(huì)作為RCODE位的擴(kuò)展
- RCODE: Response Code 響應(yīng)代碼,在DNS響應(yīng)中,用來指明錯(cuò)誤,占4個(gè)比特位。 含義如下:
- 0表示沒有錯(cuò)誤
- 1表示個(gè)數(shù)錯(cuò)誤
- 2表示域名服務(wù)器上存在問題
- 3表示域參數(shù)問題
- 4表示類型不支持
- 5表示管理上被禁止
- 6-15表示保留
- QDCOUNT:問題計(jì)數(shù),在問題區(qū)段中的條目數(shù)
- ANCOUNT: 在回答區(qū)段中的條目數(shù)
- NSCOUNT: 域名服務(wù)器計(jì)數(shù),在權(quán)威區(qū)段的域名資源記錄數(shù)
- ARCOUNT: 再額外信息區(qū)段中的其他資源記錄數(shù)
報(bào)文說明
Domain Name System (query)Transaction ID: 0x9ad0 #事務(wù)IDFlags: 0x0000 Standard query #報(bào)文中的標(biāo)志字段0... .... .... .... = Response: Message is a query#QR字段, 值為0, 因?yàn)槭且粋€(gè)請(qǐng)求包.000 0... .... .... = Opcode: Standard query (0)#Opcode字段, 值為0, 因?yàn)槭菢?biāo)準(zhǔn)查詢.... ..0. .... .... = Truncated: Message is not truncated#TC字段.... ...0 .... .... = Recursion desired: Don't do query recursively #RD字段.... .... .0.. .... = Z: reserved (0) #保留字段, 值為0.... .... ...0 .... = Non-authenticated data: Unacceptable #保留字段, 值為0Questions: 1 #問題計(jì)數(shù), 這里有1個(gè)問題Answer RRs: 0 #回答資源記錄數(shù)Authority RRs: 0 #權(quán)威名稱服務(wù)器計(jì)數(shù)Additional RRs: 0 #附加資源記錄數(shù)協(xié)議交互過程報(bào)文
Frame 5: 87 bytes on wire (696 bits), 87 bytes captured (696 bits) on interface wlp4s0, id 0 Ethernet II, Src: Chongqin_e1:18:a9 (40:23:43:e1:18:a9), Dst: HIWIFI_65:b0:40 (d4:ee:07:65:b0:40) Internet Protocol Version 4, Src: 192.168.199.235, Dst: 192.168.199.1 User Datagram Protocol, Src Port: 36025, Dst Port: 53 Domain Name System (query) # DNS協(xié)議Transaction ID: 0x9f1c # 事務(wù)ID編號(hào)Flags: 0x0100 Standard query0... .... .... .... = Response: Message is a query # DNS查詢.000 0... .... .... = Opcode: Standard query (0) #操作代碼.... ..0. .... .... = Truncated: Message is not truncated #截?cái)?/span>.... ...1 .... .... = Recursion desired: Do query recursively #期望遞歸.... .... .0.. .... = Z: reserved (0).... .... ...0 .... = Non-authenticated data: UnacceptableQuestions: 1Answer RRs: 0Authority RRs: 0Additional RRs: 1Querieswww.a.shifen.com: type A, class INName: www.a.shifen.com[Name Length: 16][Label Count: 4]Type: A (Host Address) (1)Class: IN (0x0001)Additional records<Root>: type OPT[Response In: 6]No. Time Source Destination Protocol Length Info6 0.013373576 192.168.199.1 192.168.199.235 DNS 289 Standard query response 0x9f1c A www.a.shifen.com A 180.101.49.12 A 180.101.49.11 NS ns3.a.shifen.com NS ns4.a.shifen.com NS ns5.a.shifen.com NS ns1.a.shifen.com NS ns2.a.shifen.com A 61.135.165.224 A 220.181.33.32 A 112.80.255.253 A 14.215.177.229 A 180.76.76.95 OPTFrame 6: 289 bytes on wire (2312 bits), 289 bytes captured (2312 bits) on interface wlp4s0, id 0 Ethernet II, Src: HIWIFI_65:b0:40 (d4:ee:07:65:b0:40), Dst: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) Internet Protocol Version 4, Src: 192.168.199.1, Dst: 192.168.199.235 User Datagram Protocol, Src Port: 53, Dst Port: 36025 Domain Name System (response)Transaction ID: 0x9f1cFlags: 0x8180 Standard query response, No error1... .... .... .... = Response: Message is a response #DNS回復(fù).000 0... .... .... = Opcode: Standard query (0).... .0.. .... .... = Authoritative: Server is not an authority for domain # 非權(quán)威應(yīng)答.... ..0. .... .... = Truncated: Message is not truncated.... ...1 .... .... = Recursion desired: Do query recursively.... .... 1... .... = Recursion available: Server can do recursive queries #服務(wù)支持遞歸查詢.... .... .0.. .... = Z: reserved (0).... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server.... .... ...0 .... = Non-authenticated data: Unacceptable.... .... .... 0000 = Reply code: No error (0)Questions: 1Answer RRs: 2Authority RRs: 5Additional RRs: 6Querieswww.a.shifen.com: type A, class INName: www.a.shifen.com[Name Length: 16][Label Count: 4]Type: A (Host Address) (1)Class: IN (0x0001)Answerswww.a.shifen.com: type A, class IN, addr 180.101.49.12www.a.shifen.com: type A, class IN, addr 180.101.49.11Authoritative nameserversa.shifen.com: type NS, class IN, ns ns3.a.shifen.coma.shifen.com: type NS, class IN, ns ns4.a.shifen.coma.shifen.com: type NS, class IN, ns ns5.a.shifen.coma.shifen.com: type NS, class IN, ns ns1.a.shifen.coma.shifen.com: type NS, class IN, ns ns2.a.shifen.comAdditional recordsns1.a.shifen.com: type A, class IN, addr 61.135.165.224ns2.a.shifen.com: type A, class IN, addr 220.181.33.32ns3.a.shifen.com: type A, class IN, addr 112.80.255.253ns4.a.shifen.com: type A, class IN, addr 14.215.177.229ns5.a.shifen.com: type A, class IN, addr 180.76.76.95<Root>: type OPT[Request In: 5][Time: 0.013373576 seconds]總結(jié)
以上是生活随笔為你收集整理的DNS抓包分析--wireshark的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: DHCP数据抓包分析--wireshar
- 下一篇: wireshark数据包分析实战