dns tcpdump

查看本機dns服務器配置

root@php56:/home/tb# cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.70.1.38
nameserver 10.70.1.39
root@php56:/home/tb#

利用host命令執行操做

root@php56:/home/tb# host -t A WWW.BAIDU.COM
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 14.215.177.39
www.a.shifen.com has address 14.215.177.38
root@php56:/home/tb#

抓包命令及結果

root@php56:/home/tb# tcpdump -i enp0s3 -nt -s 500 port domain
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 500 bytes
IP 10.70.30.60.35117 > 10.70.1.38.53: 13616+ A? WWW.BAIDU.COM. (31)
IP 10.70.1.38.53 > 10.70.30.60.35117: 13616 3/0/0 CNAME www.a.shifen.com., A 14.215.177.39, A 14.215.177.38 (90)

簡短解釋

1. tcpdump 以 ip地址.端口號標識通訊的某一端
2. 以">"表示數據傳輸方向
3. 10.70.1.38是本機首選dns服務器，可見53是dns服務器端口
4. 13616爲查詢標識，對應response的13616
5. 13616後的+號表明是遞歸（注意和迭代區分）
6. A?表示使用A類型的查詢方式

7. 最後的31爲dns查詢報文的長度

   ---

8. 3/0/0 分別表明3個應答資源記錄，0個受權記錄和0個額外信息記錄，最後的90爲響應字節長度

More:tcpdump -x選項(能夠看到dns每一個字節)

root@php56:/home/tb# tcpdump -i  enp0s3 -ntx -s 500 port domain
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 500 bytes
IP 10.70.30.60.50417 > 10.70.1.38.53: 52136+ A? WWW.BAIDU.COM. (31)
    0x0000:  4500 003b cf8e 0000 4011 7736 0a46 1e3c
    0x0010:  0a46 0126 c4f1 0035 0027 3426 cba8 0100
    0x0020:  0001 0000 0000 0000 0357 5757 0542 4149
    0x0030:  4455 0343 4f4d 0000 0100 01
IP 10.70.1.38.53 > 10.70.30.60.50417: 52136 3/0/0 CNAME www.a.shifen.com., A 220.181.38.150, A 220.181.38.149 (90)
    0x0000:  4500 0076 0000 4000 3f11 078a 0a46 0126
    0x0010:  0a46 1e3c 0035 c4f1 0062 4ef4 cba8 8180
    0x0020:  0001 0003 0000 0000 0377 7777 0562 6169
    0x0030:  6475 0363 6f6d 0000 0100 01c0 0c00 0500
    0x0040:  0100 0003 b400 0f03 7777 7701 6106 7368
    0x0050:  6966 656e c016 c02b 0001 0001 0000 0030
    0x0060:  0004 dcb5 2696 c02b 0001 0001 0000 0030
    0x0070:  0004 dcb5 2695

參考字段說明