Description

Dept. Computer Science and Engineering
Topic
• DNS
– DNS Message Structure
– DNS Message head
– RR in DNS
• EDNS (aka. Extension mechanisms for DNS)
– DNSSEC
• DNS Resolver
Part A.1 Domain Name System
• DNS is a distributed database.

Recursive/Iterative Query

RFC 1035 Local Resolver
Domain Names – Implementation And Specification
• Most machine has a local resolver which handles request of domain name and maintain a cache of query result.

Part A.2 DNS Message Structure

https://www.nslookuptool.com/chs/
A query message of DNS
nslookup www.baidu.com

“udp port 53” can be used as a capture filter
A response message of DNS
Nslookup www.baidu.com

“udp port 53” can be used as a capture filter
IANA Reference: https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml
RFC 2929 DNS Message Headers
Domain Name System (DNS) IANA Considerations
• Set QR bit to 0 indicates the header is a query, otherwise is a response.
• OpCode 0 indicates this is a standard query.
• AA, TC, RD, RA, AD, CD stands for Authoritative Answer, Truncated, Recursion Desired, Recursion Available, Checking Disabled.
• Z is a reserved flag.
Example Structure Code in C:
//DNS header structure struct DNS_HEADER { unsigned short id; // identification number
unsigned char rd :1; // recursion desired unsigned char tc :1; // truncated message unsigned char aa :1; // authoritive answer unsigned char opcode :4; // purpose of message unsigned char qr :1; // query/response flag
unsigned char rcode :4; // response code unsigned char cd :1; // checking disabled unsigned char ad :1; // authenticated data unsigned char z :1; // its z! reserved unsigned char ra :1; // recursion available
unsigned short q_count; // number of question entries unsigned short ans_count; // number of answer entries unsigned short auth_count; // number of authority entries unsigned short add_count; // number of resource entries };
Decode Message Header in Python
class DNSHeader:
Struct = struct.Struct(‘!6H’)
def __init__(self):
self.__dict__ = { field: None for field in (‘ID’, ‘QR’, ‘OpCode’, ‘AA’, ‘TC’, ‘RD’, ‘RA’, ‘Z’, ‘RCode’, ‘QDCount’, ‘ANCount’, ‘NSCount’, ‘ARCount’)}
def parse_header(self, data):
self.ID, misc, self.QDCount, self.ANcount,
self.NScount, self.NScount = DNSHeader.Struct.unpack_from(data) self.QR = (misc & 0x8000) != 0 self.OpCode = (misc & 0x7800) >> 11 self.AA = (misc & 0x0400) != 0 self.TC = (misc & 0x200) != 0 self.RD = (misc & 0x100) != 0 self.RA = (misc & 0x80) != 0 self.Z = (misc & 0x70) >> 4 # Never used self.RCode = misc & 0xF
def __str__(self):
return ‘<DNSHeader {}>’.format(str(self.__dict__))
Part A.3 RR in DNS
RRs of Answers
nslookup www.baidu.com

RRs of authoritative name servers
nslookup www.baidu.com

RRs of Additional records
nslookup www.baidu.com

Part B.1
EDNS (aka. Extension mechanisms for DNS)
EDNS: a backward compatible mechanisms for allowing the DNS protocol to grow.
– The Domain Name System’s wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow clients to advertise their capabilities to servers
– DNS (see [RFC1035]) specifies a Message Format and within such messages there are standard formats for encoding options, errors, and name compression. The maximum allowable size of a DNS Message is fixed.
– Many of DNS’s protocol limits are too small for uses which are or which are desired to become common. There is no way for implementations to advertise their capabilities.
https://tools.ietf.org/html/rfc2671
EDNS
One OPT pseudo-RR can be added to the additional data section of either a request or a response. An OPT is called a pseudo-RR because it pertains to a particular transport level message and not to any actual DNS data.
Using dig to test EDNS
• dig is a flexible tool for interrogating DNS name servers.
– It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried.
– Most DNS administrators use dig to troubleshoot DNS
problems because of its flexibility, ease of use and clarity of output.

Bind is a Toolset which includes dig as a component
Bind could be get from http://www.isc.org/downloads/
Using dig
A typical invocation of dig looks like:
dig @server name type
where:
server is the name or IP address of the name server to query. This can be an IPv4 address in dotted-decimal notation or an IPv6 address in colondelimited notation. When the supplied server argument is a hostname, dig resolves that name before querying that name server.
name is the name of the resource record that is to be looked up.
type
indicates what type of query is required — ANY, A, MX, SIG, etc. type can be any valid query type. If no type argument is supplied, dig will perform a lookup for an A record.
Using dig to test EDNS

Using dig to test EDNS

Part B.2 DNSSEC
Domain Name System Security Extensions
• a security mechanism designed to solve DNS spoofing and cache pollution.
• By using cryptography, the DNS resolver can verify whether the reply it receives comes from the real server or is tampered with during transmission.
DNSSEC using EDNS（1）
dig @8.8.8.8 pixiv.net +dnssec

DNSSEC using EDNS（2）
dig @8.8.8.8 pixiv.net +dnssec

Part C DNS resolver RFC 1035 Local Resolver
Domain Names – Implementation And Specification
• Most machine has a local resolver which handles request of domain name and maintain a cache of query result.

Using dns.resolver of python
Using pip to install dnspython
– pip is the package installer for Python. You can use pip to install packages from the Python Package Index and other indexes.

• A demo of using query of dns.resolver
If ‘pip’ is not installed on your computer, get it from https://pypi.org/project/pip/
Get more infor about dnspython, get it from https://pypi.org/project/dnspython/
lab 5
• Please finish the lab according to this file
– submit the report of lab 5 based on the lab report template.
– submit your source code in zip file. (5.3.zip)
• comments is MUST
• DO NOT copy paste any existing source code of DNS resolver
lab 5.1
• make an DNS query which will invoke the EDNS0
– Screenshot on this command and its output
• capture the packages using Wireshark
– what is the content of this query message
• Find the name, type and class of this query
• How can you tell this DNS query is based on EDNS0
• From this query massage , can it handle DNSSEC security RRs or not – what is the content of this response message
• Is there any answers, what’s the ttl of each answer
• Is there any authority RRs, what’s the type of each RR
• Is there any special additional RRs with OPT type, what does its ‘Do bit’ say: Does it accept DNSSEC security RRs or not
lab 5.2
• Make the query by using query method of “dns resolver”(a python package)
– To query the type A value of www.sina.com.cn based on TCP and UDP stream respectively
• capture the related TCP stream and UDP stream using Wireshark
– Screenshot on this two commands .
what’s the default transport lay protocol while invoke DNS query – Screenshot on the TCP stream of query by TCP. how many TCP packets are captured in this stream, Which port is used?
– Screenshot on the UDP stream of query by UDP.
how many UDP packets are captured in this stream, Which port is used?
– Is there any difference on DNS query and response message while using TCP and UDP respectively
lab 5.3 implement a local resolver
• Function:
– Listen and accept DNS queries.
• Support common query types:
A, AAAA, CNAME, TXT, NS, MX
• EDNS implementation is not required.
– Forward query to a upstream DNS resolver (or a public DNS server).
– Check out the response and send response to your clients.
– Maintain a cache of DNS query-response of all results.
• Test method:
– using dig sending query to your resolver
• *comments is MUST
• *DO NOT copy paste any existing source code of DNS resolver.
Tips for assignment 5.2
query in dns.resolver of python
• query(self, qname, rdtype=1, rdclass=1, tcp=False, source=None, raise_on_no_answer=True, source_port=0)
– Query nameservers to find the answer to the question.
• Parameters:
– qname (dns.name.Name object or string) – the query name
– rdtype (int or string) – the query type
– rdclass (int or string) – the query class
– tcp (bool) – use TCP to make the query (default is False).
– source (IP address in dotted quad notation) – bind to this IP address (defaults to machine default
IP).
– raise_on_no_answer (bool) – raise NoAnswer if there’s no answer (defaults is True).
– source_port (int) – The port from which to send the message. The default is 0.
Tips for assignment 5.3