DNS is divided into query request and query response, and the message structure of request and response is basically the same. The DNS packet format is shown in the figure.
The above figure shows the packet format of DNS. Among them, the six fields of transaction ID, flag, question count, answer resource record number, authoritative name server count, and additional resource record number are DNS message headers, with a total of 12 bytes.
The entire DNS format is mainly divided into three parts, namely the basic structure part, the problem part, and the resource record part. The content and meaning of each part will be introduced in detail below.
infrastructure part
The basic structure part of the DNS message refers to the message header, as shown in the figure.
The meaning of each field in this section is as follows.
- Transaction ID: the ID of the DNS message. The value of this field is the same for the request message and its corresponding response message. It can be used to distinguish which request the DNS response message responds to.
- Flag: The flag field in the DNS packet.
- Issue Count: The number of DNS query requests.
- Answer Resource Records: The number of DNS responses.
- Authoritative Name Server Count: The number of authoritative name servers.
- Additional Resource Records: The number of additional records (the number of IP addresses corresponding to authoritative name servers).
The flag field in the infrastructure section is further divided into several fields, as shown in the figure.
In scapy, usually a DNS packet, the client sends a DNSQR request packet, and the server sends a DNSRR response packet. A DNSQR includes the resolution domain name qname, resolution type qtype, and resolution class qclass. A DNSRR includes resolution domain name rrname, type type, resolution type rtype, TTL and so on.
Use the ls function to view the structure of the DNS packet as follows:
length : ShortField (Cond) = None ('None')
id : ShortField = 0 ('0')
qr : BitField (1 bit) = 0 ('0')
opcode : BitEnumField = 0 ('0')
aa : BitField (1 bit) = 0 ('0')
tc : BitField (1 bit) = 0 ('0')
rd : BitField (1 bit) = 1 ('1')
ra : BitField (1 bit) = 0 ('0')
z : BitField (1 bit) = 0 ('0')
ad : BitField (1 bit) = 0 ('0')
cd : BitField (1 bit) = 0 ('0')
rcode : BitEnumField = 0 ('0')
qdcount : DNSRRCountField = 0 ('None')
ancount : DNSRRCountField = 0 ('None')
nscount : DNSRRCountField = 0 ('None')
arcount : DNSRRCountField = 0 ('None')
qd : DNSQRField = None ('None')
an : DNSRRField = None ('None')
ns : DNSRRField = None ('None')
ar : DNSRRField = None ('None')Parsed as follows:
length:
Indicates the entire DNS data length except for the part occupied by length, occupying two bytes. This flag only exists in TCP request packets.
id:
The ID of the DNS packet. The value of this field is the same for the request message and its corresponding response message. It can be used to distinguish which request the DNS response message responds to.
qr:
Query request/response flag information. 0 for a query request; 1 for a response.
opcode:
opcode.
0It is normal DNS request (standard query), 1 is rDNS request (reverse query), 2 is server status request, 3 is meaningless, 4 is notification (Notify),5 is Update, and 6 to 15 are reserved.
aa:
Authorization response. This field is valid in the response message. A value of 1 means the name server is authoritative; a value of 0 means it is not authoritative.
tc:
Indicates whether it is truncated. 0 means no truncation. 1 indicates that the response exceeded 512 bytes and was truncated, returning only the first 512 bytes.
rd:
Expect recursion. This field can be set in the query and returned in the response. When 1, tell the name server must process this query, this method is called a recursive query. If this bit is 0, and the requested name server does not have an authoritative answer, it will return a list of other name servers that can answer the query. This approach is called iterative query.
ra:
Recursion is available. This field only appears in the response message. When the value is 1, it means that the server supports recursive queries.
z:
Reserved field, MUST have a value of 0 in all Request and Reply messages.
ad:
0 means the answering server has not verified the DNSSEC digital signature related to the query, 1 means the answering server has verified the DNSSEC digital signature related to the query.
cd:
0 indicates that the server has verified relevant DNSSEC digital signatures, and 1 indicates that the server has not verified relevant DNSSEC digital signatures.
rcode:
The return code field indicates the error status of the response.
0 is normal
1 means that the format of the message is wrong (Format error), and the server cannot understand the requested message.
2 means that the domain name server fails (Server failure), because the server cannot process the request.
3 is name error (Name Error), which is only meaningful to the authorized domain name resolution server, indicating that the resolved domain name does not exist.
4 indicates that the query type is not supported (Not Implemented), that is, the domain name server does not support the query type.
5 is Refused, generally the server refuses to give a response due to the set policy, for example, the server does not want to give a response to some requesters.
6 appeared for the domain name but it should not appear.
7 exists for the set RR but it should not exist.
8 for the set RR does not exist but it should exist
9 is the server is not the authoritative server in this area
10 for the name is not included in the zone
11 to 15, reserved
16 is wrong OPT version or invalid TSIG signature
17 is an unrecognized key
18 for the signature not within the time frame
19 is wrong TKEY mode
20 for duplicate key names
21 means the algorithm does not support
22 for incorrect truncation
23 to 3840 reserved
3841 to 4095 for private use
4096 to 65534 reserved
qdcount:
The number of DNS lookup requests.
ancount:
The number of DNS lookup requests.
nscount:
The number of authoritative name servers.
arcount:
The number of additional records (the number of IP addresses corresponding to authoritative name servers).
qd:
The DNS resolution part should be passed in the DNSQR class
an:
It is the response part of DNS resolution, which is DNSRR class.
ns:
Authoritative name server zone.
ar:
Additional information area.
DNS resolution type
1. A record analysis
Select "A" for the record type, and fill in the IP address of the host provided by the space provider for the record value. The MX priority does not need to be set, and the TTL can be set to the default 3600.
2. CNAME record analysis
The method of CNAME type resolution setting is basically the same as that of A record type, where the record type is changed to "CNAME", and the record value is filled with the server host address.
3.MX record analysis
MX record parsing is used for mailbox parsing. Select MX for the record type, select general for the line type or add three records with the line type of China Telecom, Netcom, and Education Network at the same time, fill in the server IP address or alias address provided by the post office provider for the record value, set the default TTL to 3600, and set the MX priority Fill in the data required by the post office provider, or default to 10. When there are multiple MX records, the priority should be set to different data.
These resolution types are the contents of DNSQR.qtype and DNSRR.type
DNSQR class resolution
This class contains the following
qname:
Query name, generally the domain name to be queried, and sometimes an IP address, used for reverse lookup. For example www.sina.com. It consists of one or more sequences of identifiers. The count value of the number of first bytes of each identifier to indicate the length of the identifier, and each name ends with 0. The number of count bytes must be between 0 and 63. This field requires no padding bytes.
qtype:The resource type requested by the DNS query. Usually the query type is type A, which means that the corresponding IP address is obtained from the domain name. See above for details.
qclass:Address type, usually an Internet address, with a value of 1.
DNSRR class resolution
This class contains the following
rranme:
Domain name, refers to the domain name requested by DNS. That is, the qname in the DNSQR class sent.
type:
The type of resource record, same as the query type value in the question section. That is, the qtype in the DNSQR class sent.
rclass:
Address type, same as query class value in question section.
ttl:
The survival time, in seconds, indicates the life cycle of the resource record. It is generally used when the address resolution program fetches the resource record and decides to save and use the cached data time. It can also indicate the stability of the resource record, and stable information will be assigned a large value.
rdlen:
The length of the resource data.
data:
Refers to the data part related to the type in the DNS record, indicating the data of the relevant resource records returned according to the query segment requirements . For example, for the IPv4 address in the A record of DNS or the host name and its priority in the MX record.
References:
Python scapy dns package field analysis-Queen idler- Blog Park
Using scapy to simulate DNS amplification attack - Capricorn.python - 博客园
Python uses Scapy to manipulate DNS traffic - lyshark - 博客园
DNS message format analysis (very detailed)
A brief analysis of DNS flags - imlonghao