Infosec Skills — Network Traffic Analysis for IR: DNS protocol with Wireshark

Introduction to the DNS protocol

The Domain Name System (DNS) protocol was first defined in RFCs 1034 and 1035 but has been updated by many subsequent RFCs. A primary purpose of the DNS protocol is to provide computers with a mapping from domain names (like infosec.com) to IP addresses (like 127.0.0.1).

When most people use the internet, they type a domain name into the address bar of their browser window. These domain names have the advantages of being easy to remember and help to define the website that a user is actually trying to reach on a given web server (which may host multiple different domains).

However, the computers that make up the internet work on IP addresses, not domain names. It is inefficient and unfeasible for each computer in the internet to track the full set of mappings from domain name to IP address.

Instead, the DNS system uses a hierarchical structure of name servers. A domain name is broken up by the periods within it, and (theoretically) each segment is handled by a different level of name server. Resolving resources.infosec.com would require asking a name server with knowledge of the .com namespace to provide the IP address of the infosec.com name server. Contacting the infosec.com name server would then allow the browser to learn the IP address of the server hosting resources.infosec.com.

While the DNS protocol is effective, it does have its downsides. One of the primary ones is that all DNS traffic is sent in plaintext, making it readable and editable by eavesdroppers. This issue is addressed using protocols like DNSSEC or DNS over HTTPS, which Google and Mozilla are introducing into their browsers.

The DNS protocol in Wireshark

Wireshark makes DNS packets easy to find in (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/2Rc1aNkwm6I/