Differences between revisions 10 and 11
Revision 10 as of 2007-10-18 16:37:25
Size: 2624
Editor: g35-219
Comment:
Revision 11 as of 2008-04-12 17:50:37
Size: 2638
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 12: Line 12:
 * ["TCP"]/["UDP"]: Typically, DNS uses ["TCP"] or ["UDP"] as its transport protocol. The well known TCP/UDP port for DNS traffic is 53.  * [[TCP]]/[[UDP]]: Typically, DNS uses [[TCP]] or [[UDP]] as its transport protocol. The well known TCP/UDP port for DNS traffic is 53.
Line 24: Line 24:
The DNS dissector has one preference: "Reassemble DNS messages spanning multiple TCP segments". As you might have guessed, this takes a DNS request or reply that has been split across multiple TCP segments and reassembles it back into one message. ["TCP Reassembly"] has to be enabled for this feature to work. The DNS dissector has one preference: "Reassemble DNS messages spanning multiple TCP segments". As you might have guessed, this takes a DNS request or reply that has been split across multiple TCP segments and reassembles it back into one message. [[TCP_Reassembly]] has to be enabled for this feature to work.
Line 31: Line 31:
A complete list of DNS display filter fields can be found in the [http://www.wireshark.org/docs/dfref/d/dns.html display filter reference] A complete list of DNS display filter fields can be found in the [[http://www.wireshark.org/docs/dfref/d/dns.html|display filter reference]]
Line 45: Line 45:
DNS servers that allow recursive queries from external networks can be used to perform [http://blogs.securiteam.com/index.php/archives/332 denial of service (DDoS) attacks]. You can look for external recursive queries with a filter such as {{{ DNS servers that allow recursive queries from external networks can be used to perform [[http://blogs.securiteam.com/index.php/archives/332|denial of service (DDoS) attacks]]. You can look for external recursive queries with a filter such as {{{
Line 52: Line 52:
 * [http://www.ietf.org/rfc/rfc1034.txt RFC 1034] Domain Names - Concepts and Facilities
 * [http://www.ietf.org/rfc/rfc1035.txt RFC 1035] Domain Names - Implementation and Specification
 * [http://www.ietf.org/rfc/rfc2671.txt RFC 2671] Extension Mechanisms for DNS (EDNS0)
 * [http://www.dns.net/dnsrd/ DNS Resources Directory] - includes [http://www.dns.net/dnsrd/rfc/ a page listing DNS-related RFCs]
 * [[http://www.ietf.org/rfc/rfc1034.txt|RFC 1034]] Domain Names - Concepts and Facilities
 * [[http://www.ietf.org/rfc/rfc1035.txt|RFC 1035]] Domain Names - Implementation and Specification
 * [[http://www.ietf.org/rfc/rfc2671.txt|RFC 2671]] Extension Mechanisms for DNS (EDNS0)
 * [[http://www.dns.net/dnsrd/|DNS Resources Directory]] - includes [[http://www.dns.net/dnsrd/rfc/|a page listing DNS-related RFCs]]

Domain Name System (DNS)

DNS is the system used to resolve store information about domain names including IP addresses, mail servers, and other information.

History

DNS was invented in 1982-1983 by Paul Mockapteris and Jon Postel.

Protocol dependencies

  • TCP/UDP: Typically, DNS uses TCP or UDP as its transport protocol. The well known TCP/UDP port for DNS traffic is 53.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

The DNS dissector is fully functional. Also add info of additional Wireshark features where appropriate, like special statistics of this protocol.

Preference Settings

The DNS dissector has one preference: "Reassemble DNS messages spanning multiple TCP segments". As you might have guessed, this takes a DNS request or reply that has been split across multiple TCP segments and reassembles it back into one message. TCP_Reassembly has to be enabled for this feature to work.

Example capture file

The SampleCaptures has many DNS capture files.

Display Filter

A complete list of DNS display filter fields can be found in the display filter reference

  • Show only the DNS based traffic:

     dns 

Capture Filter

You cannot directly filter DNS protocols while capturing if they are going to or from arbitrary ports. However, DNS traffic normally goes to or from port 53, and traffic to and from that port is normally DNS traffic, so you can filter on that port number.

  • Capture only traffic to and from port 53:

     port 53 

On many systems, you can say "port domain" rather than "port 53".

DNS servers that allow recursive queries from external networks can be used to perform denial of service (DDoS) attacks. You can look for external recursive queries with a filter such as

  udp port 53 and (udp[10] & 1 == 1) and src net not <net1> and src net not <net2> 

where <net1> and <net2> are network specifiers, such as 10.0.0.0/8.

Discussion

DNS (last edited 2008-04-12 17:50:37 by localhost)