Shulou(Shulou.com)06/01 Report--

We usually use the domain name to access the target machine instead of directly using its IP address, so what is the translation relationship between the domain name and the IP address? In order to understand the transformation relationship between them, we have to mention the domain name query service. Domain name query service can be implemented in many ways, such as NIS (Network Information Service), DNS and local static files. This time, we will mainly talk about DNS.

Detailed explanation of DNS request / response message

DNS is a distributed domain name service system. Each DNS server stores a large number of mappings between domain names and IP addresses, and is dynamically updated. Many network client programs query the target IP address in the domain name server through DNS protocol. The format of the DNS query and reply message is shown below:

0 15 16 31

16-bit identification bit (ID)

16-bit flag bit 16-bit request record number 16-bit response record number 16-bit additional record number 16-bit additional record number 32-bit query record information response record information (variable length) authorization record information (variable length) additional record information (variable length)

The 16-bit identification field is used to mark a pair of query / reply messages and is queried to determine which query message the returned reply message is sent.

The 16-bit flag field is used to negotiate the communication mode and return the communication status. The details of the DNS header message identification field are shown below:

QRopcode

AA

TCRD

RAzero

Rcode1 bit 4 bit 1 bit 3 bit 4 bit

The meanings of each identifier are:

QR: query / reply ID, 0 ID query, 1 ID reply.

Opcode: defines the types of queries and responses. 0 identifies standard query, 1 identifies reverse query (query domain name based on IP address), and 2 identifies the status of request server.

AA: authorization server reply ID. 1 identifies that the domain name server is an authorization server.

TC: truncates the identity and is used only when DNS messages are using UDP services. Because the UDP packet has a length limit, it will be truncated when the length is too long. 1 indicates that the length of the DNS message exceeds 512 bytes and is truncated.

RD: recursive query identity. 1 identity performs a recursive query, that is, if the DNS server cannot resolve a hostname, it continues to query other DNS servers until it resolves to the target hostname and returns it to the client. 0 identifies iterative query, that is, when the DNS server cannot resolve the target host, it returns the IP addresses of other DNS servers queried to the client for reference.

RA: recursive identifiers are allowed. This field is used in the answer field, and 1 identifies that the DNS server supports recursive queries.

Zero: default is 0, which belongs to the reserved field.

The rcode:4 bit return code that identifies the reply status. Common values are 0 (no error) and 3 (domain name does not exist)

The next four fields indicate the number of resource records in the last four fields of the DNS message. For query messages, it generally contains a query question, while the number of response records, authorization records, and additional records is 0. 5%. For reply messages, the number of response records is at least 1, while the number of authorized records and additional records can be 0 or non-0.

The query question format is as follows:

0 15 16 31

Query name

16-bit query type 16-bit query class query name encapsulates the host domain name to be queried in a certain format. The 16-bit query type indicates how to perform query operations, and common query operations are as follows:

Type A: the value is 1, which means to get the IP address of the target host.

Type CNAME: the value is 5, which means to get the alias of the target host.

The type PTR: the value is 12, which represents a reverse query.

The 16-bit query class is usually 1, which means to obtain an Internet address (IP address)

The reply field, authorization field, and additional fields all use the resource record format. The resource record format is as follows:

0 15 16 31

32-bit domain name

16-bit type 16-bit class 32-bit lifetime 16-bit resource record data length

Resource data

The 32-bit domain name in the table is the name corresponding to the resource in the record, and its format is the same as that of the query domain name in the query record. The 16-bit types and 16-bit classes are in the same format as the corresponding fields in the query record in DNS.

32-bit survival time indicates how long the query record results can be cached by the client, in seconds.

The 16-bit resource record data length and the content of the resource data field depend on the type field. For type A, the resource data is a 32-bit IPV4 address, and the resource record length is 4 (in bytes).

So far, we have briefly introduced the DNS protocol, and then we will take a specific example to look at the DNS protocol.

2. Access DNS service under Linux

To access the DNS service, we must first know the IP address of the DNS server. Linux uses the / etc/resolv.conf file to store the IP address of the DNS server. On Ubuntu, the file reads as follows:

The first IP address represents the DNS server address.

The next commonly used client program for Linux to access the DNS server is host. For example, the following command queries the DNS server 127.0.0.1 for the IP address of machine www.baidu.com:

The output of the host command tells us that the machine name www.baidu.com is an alias for www.a.shifen.com and that the alias corresponds to two IP addresses. The host command uses the DNS protocol to communicate with the DNS server, and its-t option tells the DNS protocol which type of query to use. We are using type A here, that is, to obtain the IP address of the machine through its domain name (but the alias of the machine is also included in the actual returned resource). For more information on how to use the host command, please refer to the man manual.

3. Use TCPDUMP to observe the process of DNS communication

In order to see the DNS communication process clearly, we will run the host command from Ubuntu to query the IP address of the host www.baidu.com, and use tcpdump to capture the packets of Ethernet frames transmitted on the LAN during this process. The specific actions are as follows:

When performing tcpdump packet capture this time, we use "port domain" to filter packets, indicating that only the packets of domain domain name service, that is, DNS query and reply messages, are crawled. The output of tcpdump is as follows:

The "IP" at the beginning of these two packets indicates that what they describe later is an IP Datagram. Tcpdump describes a certain end of the communication in the form of "IP address: Port number": the direction of data transmission is indicated by ">", which is preceded by the source side and followed by the destination side. The first packet is the DNS query message sent by the test machine Ubuntu (the IP address is 192.168.48.2.53) (the destination port 53 is the port used by the DNS server, which we described earlier), and the second packet is the DNS reply message fed back by the server.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.