Query IPv4 and IPv6 with DNS pipelining - dns

Background
We have seen some DNS servers block the queries where both ipv4 and ipv6 are queries together from DNS in a single TCP command
The RFC says this is something called DNS pipelining, 6.2.1.1
Query
I am trying to understand how to simulate this from the command line or C code.
I came across this link but it doesn't issue a single query rather 2 queries one after the other. That is not what I need
Basically I need a way to issue such queries at will to prove to the customer that their DNS is at fault :)
Any pointers how to achieve this ? I am wondering how glibc/resolver is doing it. Tried digging there but could not figure out
Can someone point me to some code ?

This might be what you're looking for: https://manpages.debian.org/experimental/bind-dnsutils/mdig.1.en.html
mdig is a multiple/pipelined query version of dig: instead of waiting
for a response after sending each query, it begins by sending all
queries. Responses are displayed in the order in which they are
received, not in the order the corresponding queries were sent.

Related

Regarding the conversion of hostnames to ip address

Can two or more domains be hosted on the same server? If yes what is the ip address we are going to get for the two domains?
as a user can i know how a server resolves the host name and assign unique id to different host names
After looking at my comment above and as you are a user, not an administrator, just look at the documentation of nslookup(1). It is a tool to make DNS queries to servers. It allow you to make dns resolution and to investigate the ways you are getting the answer (there are many ways to answer a query, believe me)
First you need to know how the asking is being done. Normally, clients make recursive queries (they want definitive answers to a query and want the server to do the heavy work) and servers do iterative ones (they approximate the answer by asking the servers in the chain to the final domain you are looking for) Servers and clients normally cache results for future questions and provide several ways of fault tolerance, so you cannot control normally how a query is solved. As this is probably the most requested service in internet, the protocol has been optimized to get quick answers even in the worst case.
Once you get an answer, it can be a partial one, it can be cached, it can be non-authoritative (meaning the server is serving a cached entry, not a locally administered one)
When you have several responses to a query (ok, this can happen) you receive them normally in order, depending where are you querying from. The server makes a best effort to order them on proximity to the client (the nearest address is served first) and/or randomly ordered, so you can make round robing to each of the addresses you receive. It depends on the client software, the server implementation, the administrator policy, etc.
Even you can receive a different response depending on who you are. Several corporate servers serve different views of the database depending on where the clients come from. If they come from the inside of the company, they serve addresses for servers not visible from the outside. For example, if you try to access the corporate web server, you can receive the private address to reach it, not the public address of the server accesible from the internet. This concept is called view, and many servers implement it, so the answer to your question is: it depends :)

How to filter wireshark to see only dns queries that are sent/received from/by my computer?

I am new to wireshark and trying to write simple queries. To see the dns queries that are only sent from my computer or received by my computer, i tried the following:
dns and ip.addr==159.25.78.7
where 159.25.78.7 is my ip address. It looks like i did it when i look at the filter results but i wanted to be sure about that. Does that filter really do what i am trying to find out? I doubted a little bit because in the filter results i also see only 1 other result whose protocol is ICMP and its info says "Destination unreachable (Port unreachable)".
Can anyone help me with this?
Thanks
I would go through the packet capture and see if there are any records that I know I should be seeing to validate that the filter is working properly and to assuage any doubts.
That said, please try the following filter and see if you're getting the entries that you think you should be getting:
dns and (ip.dst==159.25.78.7 or ip.src==159.57.78.7)
This filter will show only DNS traffic from 159.57.78.7 or to 159.25.78.7.
Rather than using a DisplayFilter you could use a very simple CaptureFilter like
port 53
See the "Capture only DNS (port 53) traffic" example on the CaptureFilters wiki.
use this filter:
(dns.flags.response == 0) and (ip.src == 159.25.78.7)
what this query does is it only gives dns queries originated from your ip
You can capture by adding filter udp==53 to see all dns queries

getaddrinfo() vs NAPTR/SRV record

I have a doubt regarding Domain name resolution.We can do address resolution from DNS to ip-address format by using the function getaddrinfo() or by the procedure of NAPTR query,SRV record query and A/AAAA record.
1. Does the function use getaddrinfo() use the NAPTR query technique internally ?
2. What is the advantage of using the function getaddrinfo() over the other procedure ?
getaddrinfo() does not query NAPTR or SRV records, or indeed any type of record except A and AAAA. getaddrinfo() is an interface to libc's hostname resolution service which is modelled as a simple mapping between names and addresses. To see how this is the case, consider that this resolution service may consult /etc/hosts or, more rarely, NIS+, LDAP, relational databases, and so on, as per its configuration file /etc/nsswitch.conf. Notice how none of these NSS backends understand anything about NAPTR or SRV records.
Only DNS implements NAPTR and SRV records, and if you want to query them, you will have to use an API to query DNS directly (see res_init() and related functions, or more interesting third-party libraries like c-ares that support non-blocking operations). You can't use the libc hostname resolution service to do it.
As to your second question, the advantages of using getaddrinfo() are (1) it's a lot easier to use, and (2) you'll locate entries which users may have inserted into /etc/hosts, which you'll miss if you query DNS directly.
getaddrinfo gives back ipv6 address as well. Also you have option of providing hint. There is one more variation getaddrinfo_a - this API provides results in async way. This is sometimes useful to avoid program getting blocked at one place.

Node.js: Disable UDP DNS lookup and use the given IP instead

I have a simple CentOS node.js server that is supposed to consume high frequency UDP messages and then forward them to another service.
Trouble is that dgram.send does a DNS lookup on EVERY call. This DNS lookup is both slowing down the processing of the messages and occasionally getting the DNS server to blacklist the node.js host server thinking it's getting DOS'd.
The question is: how do I send a UDP packet in node.js WITHOUT incurring a DNS lookup?
Thanks for the time.
Glancing through the code for Node, it looks like you can pass an IP address to dgram.send and it won't do anything with DNS. Is it possible to look up or cache your IPs manually and then pass them to the send method?

DNS Server Refusing Connection

I am implementing a dns client, in which i try to connect to a local dns server, but the dns server is returning the message with an error code 5 , which means that its refusing the connection.
Any thoughts on why this might be happening ?? Thanks
DNS response error code 5 ("Refused") doesn't mean that the connection to the DNS server is refused.
It means that the DNS server refuses to provide whatever data you asked for, or to do whatever action you asked it to do (for example a dynamic update).
Since you mention a "connection", I assume that you are using TCP?
DNS primarilly uses UDP, and some DNS servers will refuse all requests over TCP.
So the solution might be as simple as switching to UDP.
Otherwise, assuming you are building your own DNS client from scratch, my first guess would be that you are formatting the request incorrectly. Eventhough the DNS protocol seems fairly simple, it is very easy to get this wrong.
Finally, the DNS server may of course simply be configured to refuse requests for whatever you are asking.
explicitly adding the network from which i wanted to allow-recursion fixed this problem for me:
these two lines added to /etc/bind/named.conf.options
recursion yes;
allow-recursion { 10.2.0.0/16; };
Policy enforcement?
The DNS server could be configured to accept only connections from certain hosts.
Hmm, if you're able to access StackOverflow you have a working DNS server SOMEwhere. Try doing
host -v stackoverflow.com
and look for messages like
Received 50 bytes from 192.168.1.1#53 in 75 ms
then pick the address out of that line and use THAT as your DNS - it's obviously willing to talk to you.
If you're on Windows, use NSLOOKUP for the same purpose. Your name server's address will be SOMEwhere in the output.
EDIT:
When I'm stuck for a DNS server, I use the one whose address I can remember most easily: 4.2.2.2 . See how that works for you.
You might try monitoring the conversation using WireShark. It can also decode the packets for you, which might help you determine if your client's packets are correctly encoded. Just filter on port 53 (DNS) to limit the packets captured by the trace.
Also, make sure you're using UDP and not TCP for queries; TCP should be used primarily for zone transfers, not queries.

Resources