Wireshark 101: The Domain Name System, HakTip 129

Wireshark 101: The Domain Name System, HakTip 129

Hak5 — Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
Today on HakTip, Shannon explains the DNS protocol, or Domain Name System, and how it pertains to use in Wireshark.

DNS (Domain Name System) is the reason why when you type in a website like google.com, it goes to their IP address. This way you don’t have to memorize a bunch of numbers to take you where you wanna go on the internet. To view all the different type of DNS traffic you might run into, go to this site to see more.
Whenever you look at a DNS packet, you’ll run into a bunch of information. First we have a DNS ID Number to associate queries with responses, then whether it’s a query or a response. Next is an OpCode (what type of query it is), and Authoritative Answers (if the response packet is from a name server). Next is TC for Truncation if the response is too big to fit in a packet, and RD for Recursion Desired, which means the name server will support recursive queries. Z stands for Reserved, usually set to all zeros, but can be used by the RCode field below it as an extension. Response Code shows you any errors, Question count show you the number of entries in the “Question” section, Answer count is the same for answers, and Name server count shows you the number of name server resource records found in the authority section, if available.
Add’tl records count shows you the number of other resource records in the Addit’l info section, Questions has queries that will be sent to the DNS server, Answers will answer queries, authority is a section that will have resource records for authoritative name servers used to continue the resolution process, and lastly is the addit’l info section.
That’s a lot of sections!
DNS is also a question/response format, similar to other protocols. The client asks for an IP address from the DNS server, the server sends back info as a response. In it’s simplest form, DNS only has two packets. You’ll see a few different Resource Record Types whenever you look at one of these packets including A for an IPv4 host address, NS for a name server, TXT for a text string, and so on. More can be found by checking the IANA site.
Now for some more info on recursion. This happens when the DNS server acts like a client to further on the packet in order to find an IP address of an outside site, like when you visit google.com or hak5.org. Under the recursion desired label, it’ll say “Do query recursively”. If the DNS server doesn’t know which IP belongs to a www site, it’ll continue on the packet to another DNS server. Depending on where the sites server is located, the query can travel through many DNS servers until it finds the correct IP and sends it back to you.
Lastly, lets talk a bit about Zones. Hak5 has a bunch of different DNS servers for our stuff, like hak5.org is on a DNS server, and our email is on another server, and we have another DNS server set up to maintain a copy of Hak5.org… and so on. These servers are called zones, and they are the authorities for the sub-domains. A Zone Transfer might occur if a company like Hak5 wants to keep the domain redundant on another server. There can be a Full Zone Transfer or a Incremental Zone Transfer, either meaning the entire zone is transferred, or just parts of it. Zone Transfers run on TCP over UDP, with DNS, because of the size of the packet- TCP ends up being more reliable. In Wireshark, this would be seen under Type: stating it as a AFXR or Full Zone Transfer.
Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

-~-~~-~~~-~~-~-
Please watch: “Bash Bunny Primer – Hak5 2225”

-~-~~-~~~-~~-~-
____________________________________________
Founded in 2005, Hak5’s mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community – where all hackers belong.

15 Comments

  1. Simba on February 28, 2021 at 12:13 am

    yikes



  2. Jørgen Asmussen on February 28, 2021 at 12:18 am

    Remember that DNS is a non-encrypted sidechannel, that leaks information about your browsing around, even if you use https everywhere, and without DNSSEC, it is also easily forgeable and is often being forged for captive walls and the likes.



  3. Thorsummoner0 on February 28, 2021 at 12:40 am

    Hehe, Hipchat is garbage compared to Skype, and is nothing compared to Slack.com (I’ve been there, Slack rules.)



  4. Mario Hartson on February 28, 2021 at 12:40 am

    Awesome video as always



  5. G on February 28, 2021 at 12:42 am

    Will your videos help with the Wireshark certification? If not, what do  you recommend? Thanks



  6. Morwic on February 28, 2021 at 12:43 am

    nice DNS breakdown 🙂



  7. garg mayank on February 28, 2021 at 12:47 am

    #.Very nice representation in all videos of wireshark-101. I have watched all 15 videos in this series  and liked much and learnt more.
    #. I want to say a special thanks to Ms. Snannon Morse.



  8. harshverdhan singh on February 28, 2021 at 12:48 am

    thanx for providing an informative sessions



  9. Zumerjud on February 28, 2021 at 12:54 am

    Very informative, thanks 🙂



  10. Abel Paz on February 28, 2021 at 12:57 am

    This channel has made my day, been struggling with some packet captures for a coursework, now I have everything a bit clearer after watching this video, +1!



  11. Brian Young on February 28, 2021 at 12:59 am

    Wow, I was just checking in with you folks, been a long time since I’ve been able to watch, but yea…, the information provided on WireShark is just the basic and is AWESOME! I have my girls watching it because they want to "learn to do what daddy does." So thank you for the great tutorial, it’s making this much easier for me just because they see another young lady presenting the information. You guys and gals ROCK!



  12. GanjaBear29 on February 28, 2021 at 1:00 am

    How has no one commented on those boobies. -First non-gay!



  13. Syed Amir Azhar on February 28, 2021 at 1:05 am

    Some lab examples of dns attacks would be much appreciated 😀



  14. Ibrahim alain on February 28, 2021 at 1:05 am

    Thanks 🙂



  15. Mohammad Selim Miah on February 28, 2021 at 1:08 am

    Awesome tutorial. Many thanks