Tuesday, May 31, 2016

DNS Query Response Decodes

I am getting comfortable doing this again, trying to build up speed. 

 450000450a860000ff112d6bc0a80165c0a80101 0x11 UDP
ce2300350031302d Destination port 0x0035 = 53 DNS DEST
1b89 Transaction ID
0100 Standard Query
0001000000000000 1 Query
0665313135353101670a616b616d616965646765036e657400
   e 1 1 5 5 1   g   a k a m a i e d g e  n  e t00 ends label
0001 A record
0001 IN
=============================================================

 45000055000040003911bde1c0a80101c0a80165 0x11 UDP
0035ce2300414ee2 DNS SRC
1b89 Transaction ID
8180 Standard Response
0001000100000000 1 Query 1 Answer 0 Auth 0 Addition
0665313135353101670a616b616d616965646765036e657400
   e 1 1 5 5 1   g   a k a m a i e d g e  n  e t00 ends label
0001 A record
0001 IN
c00c Pointer 0xc0, (12 bytes) displacement
0001 A record
0001 IN
00000013 TTL 19
0004 Data Length
48f6a044 72.246.160.68

 0xc00c pointer points here |
1b89818000010001000000000665313135353101670a616b616d616965646765036e65740000010001c00c0001000100000013000448f6a044

 =================================================================
=================================================================
713a Transaction ID
0100 Standard Query
0001000000000000 Query 1 Answer 0 Auth 0 Addition 0
01640764726f70626f7803636f6d00
   d . d r o p b o x . c o m00 terminates string
0001 A
0001 IN

 713a0100000100000000000001640764726f70626f7803636f6d0000010001

 ===================================================================

 713a8180000100030000000001640764726f70626f7803636f6d0000010001c00c00050001000000a4000601640176c00ec02b000100010000002400046ca0acc1c02b000100010000002400046ca0ace1

0xc00e pointer points here     |
713a8180000100030000000001640764726f70626f7803636f6d00

 713a ID
8180 Standard Response
0001000300000000 Query 1 Answer label 3 Auth 0 Addition 0
01640764726f70626f7803636f6d00
00010001 A IN
c00c Pointer to RNAME
0005 Type canonical
0001 IN
000000a4 TTL 164
00
0601640176 d.v
c00e pointer offset 14
c02b pointer offset 43
00010001 A IN
00000024 TTL 36
0004 RDATA Length
6ca0acc1 108.160.172.193
c02b Pointer to RNAME
0001000100000024 A IN TTL 36
0004 RDATA Length
6ca0ace1 108.160.172.225

 ====================================================================
====================================================================
01a301000001000000000000 ID 01a3 Standard Query, 1 Question
036c6f670a67657464726f70626f7803636f6d00 log.getdropbox.com
00010001 A IN

 ====================================================================
Let's do some labels. Very clever how the label length becomes the dot.
====================================================================
036c6f670a67657464726f70626f7803636f6d00 
03  log 0a getdropbox         03 com  00

0a67657464726f70626f7801760764726f70626f78c01b 
0a  getdropbox        01v 07 dropbox       pointer


 036c6f670a67657464726f70626f7803636f6d00
03 log  0a getdropbox         03 com  00

 066e732d37373309617773646e732d3332036e657400
06   ns-773   09 awsdns-32        03 net  00


 11617773646e732d686f73746d617374657206616d617a6f6ec01b
11   awsdns-hostmaster              06 amazon     pointer   
Posted by at

1 comment:

Subscribe to: Post Comments (Atom)