DNS Analysis and Solutions

Preface

A packet example from the Sharkfest Packet Challenge. Sharkfest is an annual conference organized by Wireshark, dedicated to sharing knowledge, experience, and best practices among Wireshark developers and user communities . I remember that it was held once a year in the early days, but in recent years it has become twice a year, one in the United States and one in other regions, such as Europe or Asia. Packet Challenge is one of the more interesting activities in the conference. Through a series of packet examples, participants can perform analysis challenges and test their comprehensive analysis capabilities.

Topic Information

This case is the first question PAY ME NOW in the Sharkfest 2015 Packet Challenge , and the packet trace file is dnsing.pcapng .

The main description is as follows:

  1. What IP address(es) are resolved for www.paypal.com?
  2. What is the largest DNS TTL value seen in the trace file?
  3. Which DNS response transaction ID contained the largest number of Answer RRs?
  4. What is the largest DNS response time seen in this trace file?
  5. What company distributes many of PayPal’s web pages?

Packet information

The basic information of the packet trace file is as follows:

Captured directly via Wireshark on a Windows 8 system, without truncation, the number of captured packets was 141, the capture duration was 272.4 seconds, and the average rate was 449 bps.

Packet Analysis

Expand the data packet file information, as shown below. You can see that they are basically DNS protocol packets, or you can dnssimply filter out 125 DNS protocol packets by displaying the filter expression.

1. What IP address(es) are resolved for www.paypal.com?

You need to find out the IP address that http://www.paypal.com resolves to.


Analysis steps

Because the DNS response packet usually contains Queriesand Answers, that is, the queried domain name and the IP information of the response domain name.

You can filter by the following display filter expressions.

(dns.qry.name == "www.paypal.com") && dns.a

Display the filtered data frame Infocolumn information:

DNS Analysis and Solutions

Of course, Tshark can also complete the above work:


Analyze the answer

http://www.paypal.comThe resolved IPs are: 23.13.82.234 and 23.196.228.157

2. What is the largest DNS TTL value seen in the trace file?

Find the maximum DNS TTL value in the packet trace file.

Analysis steps

The DNS TTL value also exists in the DNS response data packet Answersinformation. Due to CNAME, there will be multiple TTL values ​​in the same data frame.

You can filter by displaying filter expressions. Of course, Wireshark only filters out packets with this value. How do you determine the maximum value? This may be more intuitive through Tshark.

dns.resp.ttl

Filter out all packets with DNS TTL value.

Processing, deduplication, sorting, etc.


Analyze the answer

Maximum DNS TTL value in packet trace files: 7196.

3. Which DNS response transaction ID contained the largest number of Answer RRs?

Find the DNS response transaction ID that contains the largest number of Answer RRs.

Analysis steps

Both the DNS response Transaction IDand Answer RRsfield values ​​can be found in the information below.

You can add two columns, and , Packet Listin the view . The fields are as follows:Transaction IDAnswer RRsdns.iddns.count.answers

Reorder Answer RRscolumns, largest to smallest

The above work can also be done using Tshark:


Analyze the answer

The DNS response transaction ID containing the largest number of Answer RRs is 0x9ab9.

4. What is the largest DNS response time seen in this trace file?

What is the maximum DNS response time in the packet trace file.

Analysis steps

DNS response duration is the time interval between query and response, and is generally used as a DNS performance indicator. This field dns.timedoes not actually exist in the data packet, but is identified by Wireshark context parsing and is represented by [ ].

You can Packet Listadd DNSTimecolumns to the view, with fields dns.timeas follows:

The DNS query packets in this packet 

trace file are retransmitted, so the maximum response time mentioned above is the time difference associated with the first request packet.

Analyze the answer

Maximum DNS response time in the packet trace file: 3.044056000 seconds.

5. What company distributes many of PayPal’s web pages?

Which company distributes many of the PayPal Web pages?

Analysis steps

From the DNS response, it can be seen that there are many CNAME resolutions, using CDN related technologies. Simply (dns.qry.name contains "paypal" ) && (dns.flags.response == 1)filter out the values ​​with paypal related words in the response data packet through the display filter expression, and then dns.resp.nameprocess according to the field value, mainly as follows:

I haven’t done much research on foreign CDNs. Combining the results shown above, I searched on Baidu and found that the CDN used should be Akamai ‘s CDN.

I don’t have a deep understanding of this problem, and I’m not sure whether it needs further processing or there is a better way.


Analyze the answer

Which company distributes many of the PayPal Web pages: Akamai.