By Golden_Eternity
June 13, 2001
The connection is a web request, but it starts with a UDP request to the DNS server for the IP of www.bhodisoft.com. UDP is connectionless, so you won't see any Syn or Ack flags; there's no connection negotiation, just a request and a reply.
The DNS message format is explained in depth in RFC 1035, Section 4.
The client (10.0.0.2) sends a request to the DNS server (10.0.0.1).
18:02:47.500000 10.0.0.2.1032 > 10.0.0.1.53: [udp sum ok] 24415+ A? www.bhodisoft.com. [|domain] (DF) (ttl 64, id 55712, len 63)
| 0x0000 | 4500 | 003f | d9a0 | 4000 | 4011 | 4d0b | 0a00 | 0002 | E..?..@[email protected]..... |
| 0x0010 | 0a00 | 0001 | 0408 | 0035 | 002b | e71a | 5f5f | 0100 | .......5.+..__.. |
| 0x0020 | 0001 | 0000 | 0000 | 0000 | 0377 | 7777 | 0962 | 686f | .........www.bho |
| 0x0030 | 6469 | 736f | 6674 | 0363 | 6f6d | 0000 | 0100 | 01 | disoft.com..... |
| 0x0000 | 4500 | 003f | d9a0 | 4000 | 4011 | 4d0b | 0a00 | 0002 |
| 0x0010 | 0a00 | 0001 |
45 - IP Version / Header Lenth (IPv4, 5)
00 003f - Length (63)
d9a0 - Fragment ID (55712)
40 - IP Flags (Do not Fragment, Last Fragment)
00 - Fragment Offset (0)
40 - Time To Live (64)
11 - IP Protocol Type (17/UDP)
4d0b - IP Checksum (19723)
0a00 0002 - Source IP Address (10.0.0.2)
0a00 0001 - Destination IP Address (10.0.0.1)
| 0x0010 | 0408 | 0035 | 002b | e71a | 5f5f | 0100 | ||
| 0x0020 | 0001 | 0000 | 0000 | 0000 | 0377 | 7777 | 0962 | 686f |
| 0x0030 | 6469 | 736f | 6674 | 0363 | 6f6d | 0000 | 0100 | 01 |
0408 - Source Port (1032)
0035 - Destination Port (53)
002b - UDP Message Length (43 bytes)
e71a - UDP Checksum (59162)
DNS Header -
| 0x0010 | 0408 | 0035 | 002b | e71a | 5f5f | 0100 | ||
| 0x0020 | 0001 | 0000 | 0000 | 0000 | 0377 | 7777 | 0962 | 686f |
| 0x0030 | 6469 | 736f | 6674 | 0363 | 6f6d | 0000 | 0100 | 01 |
5f5f - ID (24415)
The following 16 bits are used to hold a lot of information.
0100 - QR, Opcode, AA, TC, RD, RA, Z, RCODE
To better explain this, we'll examine the binary representation.
0 0000 0 0 1 0 000 0000
1 bit - QR - This field (bit) is 0 if the message is a query and 1 if its a
response. This is a query.
4 bits - OpCode. Specifies the type of query. 0 shows this is a standard query.
1 bit - AA - Authoritative Answer. Valid in responses. Specifies that the
responding name server is authoritative for the domain.
1 bit - TC - TrunCation. Specifies that the message was truncated. This message
was not truncated.
1 bit - RD - Recursion Desired. Valid in the query, copied in the response. RD
is set.
1 bit - RA - Recursion Available. Set or cleared in the response. Specifies
whether recursive queries are supported on the server.
3 bits - Z - Reserved for future use.
4 bits - RCODE - Response Code.
0001 - QDCOUNT - Specifies the number of entries in the question section. (1)
0000 - ANCOUNT - Specifies number of entries in the answer section. (0)
0000 - NSCOUNT - Specifies the number of name server resource records in the
authority records section. (0)
0000 - ARCOUNT - Number of resource records in the additional records section.
(0)
QNAME
03 - Octet length (for www)
77 7777 - www
09 - Octet length (for bhodisoft)
62 686f 6469 736f 6674 - bhodisoft
03 - Octet length (for com)
63 6f6d - com
00 - Octet length (null, end of name)
00 01 - QTYPE - Specifies the type of query. This is a DNS "A"
record query.
00 01 - QCLASS - Specifies the class of query. This is an internet (IN) class
record.
The server responds with the info on www.bhodisoft.com.
18:02:47.510000 10.0.0.1.53 > 10.0.0.2.1032: [udp sum ok] 24415 q: A? www.bhodisoft.com. 2/0/0 www.bhodisoft.com. CNAME bhodisoft.com., bhodisoft.com. A 161.58.243.241 (65) (ttl 64, id 64602, len 93)
| 0x0000 | 4500 | 005d | fc5a | 0000 | 4011 | 6a33 | 0a00 | 0001 | E..][email protected].... |
| 0x0010 | 0a00 | 0002 | 0035 | 0408 | 0049 | b2e4 | 5f5f | 8180 | .....5...I..__.. |
| 0x0020 | 0001 | 0002 | 0000 | 0000 | 0377 | 7777 | 0962 | 686f | .........www.bho |
| 0x0030 | 6469 | 736f | 6674 | 0363 | 6f6d | 0000 | 0100 | 01c0 | disoft.com...... |
| 0x0040 | 0c00 | 0500 | 0100 | 0151 | 2400 | 02c0 | 10c0 | 1000 | .......Q$....... |
| 0x0050 | 0100 | 0100 | 0151 | 2400 | 04a1 | 3af3 | f1 | .....Q$...:.. |
| 0x0000 | 4500 | 005d | fc5a | 0000 | 4011 | 6a33 | 0a00 | 0001 |
| 0x0010 | 0a00 | 0002 |
45 - IP Version / Header Length (IPv4, 5)
00 005d - Length (93)
fc5a - Fragment ID (64602)
00 - IP Flags (Last Fragment)
00 - Fragment Offset (0)
40 - Time To Live (64)
11 - IP Protocol Type (17/UDP)
6a33 - IP Checksum (27187)
0a00 0001 - Source IP Address (10.0.0.1)
0a00 0002 - Destination IP Address (10.0.0.2)
UDP Layer ( IP Data )
| 0x0010 | 0035 | 0408 | 0049 | b2e4 | 5f5f | 8180 | ||
| 0x0020 | 0001 | 0002 | 0000 | 0000 | 0377 | 7777 | 0962 | 686f |
| 0x0030 | 6469 | 736f | 6674 | 0363 | 6f6d | 0000 | 0100 | 01c0 |
| 0x0040 | 0c00 | 0500 | 0100 | 0151 | 2400 | 02c0 | 10c0 | 1000 |
| 0x0050 | 0100 | 0100 | 0151 | 2400 | 04a1 | 3af3 | f1 |
0035 - Source Port (53)
0408 - Destination Port (1032)
0049 - UDP Message Length (73 bytes)
b2e4 - UDP Checksum (45796)
DNS Header -
| 0x0010 | 0035 | 0408 | 0049 | b2e4 | 5f5f | 8180 | ||
| 0x0020 | 0001 | 0002 | 0000 | 0000 | 0377 | 7777 | 0962 | 686f |
| 0x0030 | 6469 | 736f | 6674 | 0363 | 6f6d | 0000 | 0100 | 01c0 |
| 0x0040 | 0c00 | 0500 | 0100 | 0151 | 2400 | 02c0 | 10c0 | 1000 |
| 0x0050 | 0100 | 0100 | 0151 | 2400 | 04a1 | 3af3 | f1 |
5f5f - ID (24415)
8180 - QR, Opcode, AA, TC, RD, RA, Z, RCODE
1 0000 0 0 1 1 000 0000
1 bit - QR - This field (bit) is 0 if the message is a query and 1 if its a
response. This is a response.
4 bits - OpCode. Specifies the type of query. 0 shows this is a standard query.
1 bit - AA - Authoritative Answer. Specifies that the
responding name server is authoritative for the domain.
1 bit - TC - TrunCation. Specifies that the message was truncated. This message
was not truncated.
1 bit - RD - Recursion Desired. Valid in the query, copied in the response. RD
is set.
1 bit - RA - Recursion Available. Specifies
whether recursive queries are supported on the server. Recursion is available on
the server.
3 bits - Z - Reserved for future use.
4 bits - RCODE - Response Code.
0001 - QDCOUNT - Specifies the number of entries in the question section. (1)
0002 - ANCOUNT - Specifies number of entries in the answer section. (2)
0000 - NSCOUNT - Specifies the number of name server resource records in the
authority records section. (0)
0000 - ARCOUNT - Number of resource records in the additional records section.
(0)
0377 7777 0962 686f 6469 736f 6674 0363 6f6d 00 - www.bhodisoft.com (See query)
We know from ANCOUNT that we'll be seeing two answers in this section. There will not be an authority or additional records section. I'm still a bit unclear on the name field and handling of multiple Resource Records, but this does seem to work.
00 01 - Answer 1
00 01c0 0c - Name. Compressed, Offset 12 bytes (www.bhodisoft.com).
00 05 - Type (CNAME)
00 01 - Class (IN)
00 0151 24 - TTL
00 02 - Answer 2
c0 10c0 10 - Name. Compressed, Offset 16 bytes (bhodisoft.com).
00 01 - Type (A)
00 01 - Class (IN)
00 0151 24 - TTL
00 04 - RDLENGTH
a1 3af3 f1 - RDATA. IP Address (164.58.243.241)
End DNS Lookup