当前位置：网站首页>1.6.3 use tcpdump to observe DNS communication process

1.6.3 use tcpdump to observe DNS communication process

2022-06-25 05:19:00 【Halya】

Use tcpdump Observe DNS Communication process

Preface
DNS working principle
linux Next visit DNS service
The experiment begins
Datagram information

Preface

This article is the author's reading notes , Please do not reprint without permission . If it helps you, remember to praise it (●’◡’●)
This experiment is linux The second experiment of high performance server programming , Difficulty is not great , To consolidate tcpdump Some common knowledge of .

DNS working principle

We usually use the domain name of the machine to access this machine , Instead of using it directly IP Address . Domain name converted to IP The address needs to use the domain name query service . There are many ways to implement domain name query service , such as NIS(Network Information Service, network information service )、DNS And local static files .
DNS Is a set of distributed domain name service system . Every DNS A large number of machine names and... Are stored on the server IP Address mapping , And it's dynamically updated . Many network client programs use DNS Agreement to DNS The server queries the IP Address

linux Next visit DNS service

To visit DNS service , You have to know DNS Server's IP Address .
linux Use /etc/resolv.conf File to store DNS Server's IP Address .

[email protected]:/# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
options timeout:2 attempts:3 rotate single-request-reopen

The data in Alibaba cloud server is different
Next through host Command to use DNS Protocol and server communication .

[email protected]:/# host -t A wwww.baidu.com
wwww.baidu.com is an alias for ps_other.a.shifen.com.
ps_other.a.shifen.com has address 220.181.38.251
ps_other.a.shifen.com has address 220.181.38.148

among -t Options tell DNS Which query type does the protocol use . What we're using here is A type , That is, get its name through the domain name of the machine IP Address （ But in fact, the returned resource record also contains the alias of the machine ）.

The experiment begins

Open two terminals on the server , A test terminal and a monitoring terminal

Monitoring terminal

[email protected]:~# tcpdump -i eth0 -nt -s 0 port domain
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

-i Specify the network interface to listen to , The network interface passes through ifconfig Generally speaking, it is eth0,-n Specify that the domain name in each listening packet is converted to IP The address is displayed after , Do not convert network address to name ,-t Do not print timestamps ,“-s snaplen” snaplen Indicates the number of bytes to be stamped from a packet .0 Indicates that the package is not truncated , Grasp the complete data package , Actually 500 That's enough. , You can see “capture size 262144 bytes” Is the full packet size . By default tcpdump Show only some packets , Default 68 byte .
“port domain” Indicates that only crawl is used domain（ domain name ） Service packets , namely DNS Query and response message .

Test terminal

[email protected]:/# host -t A wwww.baidu.com
wwww.baidu.com is an alias for ps_other.a.shifen.com.
ps_other.a.shifen.com has address 220.181.38.148
ps_other.a.shifen.com has address 220.181.38.251

The explanation of this has already been mentioned above

Monitoring terminal

[email protected]:~# tcpdump -i eth0 -nt -s 0 port domain
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 172.17.128.254.42357 > 100.100.2.136.53: 62792+ A? ps_other.a.shifen.com. (39)
IP 100.100.2.136.53 > 172.17.128.254.42357: 62792 2/0/0 A 220.181.38.148, A 220.181.38.251 (71)
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
[email protected]:~#

These two packets begin “IP” Pointed out that , What follows them is IP The datagram （ Datagram is the basic unit of data transmitted over the network , Contains a header （header） And the data itself , The header describes the destination of the data and the relationship with other data .）

tcpdump With “IP Address . Port number ” To describe one end of the communication ： With “>” Indicates the direction of data transmission ,“>” The front is the source side , Then there is the destination .

The first packet is the server's preferred DNS Sent by the server DNS Query message （ Target port 53 yes DNS The port used by the service ）. The number 62792 yes DNS Query the identification value of the message , So this value also appears in DNS In the response message .“+” Indicates the enable recursive query flag .“A?” Said the use of A Type of query .“ps_other.a.shifen.com.” It is DNS Query name in query question . Values in parentheses 39 yes DNS Query the length of the message （ In bytes ）.

The second packet is fed back by the server DNS Reply message .“2/0/0” Express 2 Response resource records 、0 Authorized resource records and 0 Additional information records .“A 220.181.38.148, A 220.181.38.251” Express 2 The contents of a response resource record .A Indicates that the following record is IP Address . The message length 71.