The Domain Name System (DNS) is used to convert human-readable hostnames such as microsoft.com to IP addresses. DNS is also used to transfer name information between DNS servers, identify the hostname associated with an IP address (i.e., reverse DNS), and look up other information such as Mail Exchange Records (MX).
DNS runs over UDP and TCP. UDP queries and replies use UDP. DNX Zone transfers use TCP. The default fort for UDP is 53. Multicast DNS (mDNS) is a name resolution process for smaller networks that do not have a DNS server installed The top level mDNS names end with .local. Any mDNS query for a name ending in .local is sent to the mDNS multicast address 18.104.22.168 or its IPv6 equivalent FF02::FB (“Multicast,” DNS).
Below shows a standard DNS query for the A record (host address) for micorosft.com. This DNS query was automatically generated when I opened my browser and typed the hostname microsoft.com:
Following the A record request my client automatically generates an AAAA record request. This quad-A request record is a DNS record that maps to an IPv6 address:
Below is the DNS response the A record query:
Below is the DNS response the AAAA record query:
Once DNS resolves the host name to the IP address, we see the TCP 3-Way Handshake and the first GET request from my client to the server:
About the Author
David Zwickl, MSci., CISSP, CEH, has spent over 20 years in information assurance and cybersecurity for companies such as RSA Security and Cisco Systems in a variety of roles. Dave holds a Master’s degree in Information Assurance with a Cybersecurity Specialization from Regis University in Denver Colorado. Regis University’s School of Computer & Information Sciences, designated as a National Center of Excellence in Information Systems Security Education (CAE/IAE) by the National Security Agency (NSA) and the Department of Homeland Security (DHS). Dave is active in industry associations ISSA, OWASP, CSA, among others.
Multicast DNS. (n.d.). Retrieved March 15, 2017 from http://www.multicastdns.org/
Display filter reference: Domain Name System. (n.d.). Retrieved March 15, 2017 from https://www.wireshark.org/docs/dfref/d/dns.html
Domain Name System (DNS). (n.d.). Retrieved March 15, 2017 from https://wiki.wireshark.org/DNS