Introduction

This section will deal with the analysis of the DNS packets. This will allow us to see the way DNS messages are formatted and the options and variables they contain. To understand a protocol, you must understand the information the protocol carries from one host to another.

Because the DNS message format can vary, depending on the query and the answer, I've broken this analysis into two parts. Part 1 analyses the DNS format of a query, in other words, it shows how the packet looks when we ask a DNS server to resolve a domain. Part 2 analyses the DNS format of an answer, where the DNS server is responding to our query.

I find this method more informative and easy to understand rather than combining the analysis of queries and answers.

DNS Analysis - Host Query

As mentioned in the previous sections of the DNS Protocol, a DNS query is generated when the client needs to resolve a domain name into an IP Address. This could be the result of entering "www.firewall.cx" in the url field of your web browser, or simply by launching a program that uses the Internet and therefore generates DNS queries in order to successfully communicate with the host or server it needs.

Now, I've also included a live example (using my packet analyser), so you can compare theory with practice for a better understanding. After this we will have a look at the meaning of each field in the packet, so let's check out what a packet containing a DNS query would look like on our network:

This is the captured packet we are going to deal with. To generate this packet, I typed "ping www.firewall.cx" from my linux prompt. The command generated this packet, which was put on my network with the destination being a name server in Australia. Notice the Port Destination which is set to 53, on which the port DNS works, and the protocol used for the DNS Query, which is UDP.