DNS (Domain Name Service) finds out the IP addresses of services by name. DNS requestest are made generally with UDP transport, however DNS can call back to TCP for certain reasons. Our aim is to show an IP packet, mostly focusing on the IP, but to show it in context of the other layers.
Here is the request of a machine named hohokus to find the IP address of a machine named www.cs.miami.edu. This is called a DNS query. The requesting machine must be configured with the IP address of a Domain Name Server (or Resolver) and it will direct the query to this machine. In this example, the DNS resolver's IP is 172.20.0.6. Hohokus' IP is 172.20.2.253.
In this case, the two machines are on the same network, so no router will be needed to pass the packet. So we should expect that the ethernet addresses on the link level header will belong to the machines with the IP addresses in the network level headers. If the resolver were not on the same network, the packet would be passed from network to network, with the layer 3, 4, etc., data unchanged but constantly repackaged inside a different layer 2 header, a new one for each local hop.
Here is the entire packet, broken down into the major levels:
Link level (layer 2): Ethernet II Network level (layer 3): IP Transplort level (layer 4): UDP Application Level: DNS 0000 00 18 8b 75 1d e0 00 1f f3 d8 47 ab 08 00 45 00 ...u......G...E. 0010 00 44 ad 0b 00 00 40 11 72 72 ac 14 02 fd ac 14 .D....@.rr...... 0020 00 06 e5 87 00 35 00 30 5b 6d ab c9 01 00 00 01 .....5.0[m...... 0030 00 00 00 00 00 00 09 6d 63 63 6c 65 6c 6c 61 6e .......mcclellan 0040 02 63 73 05 6d 69 61 6d 69 03 65 64 75 00 00 01 .cs.miami.edu... 0050 00 01 ..
This packet uses ethernet for local transport. There are two variants of ethernet out there, Ethernet II and IEEE 802.3 Ethernet. The reason there are two: no good reason. They can and generally do flow intermixed on an ethernet network, with the electronics all knowing how to handle both variants.
This is Ethernet II
00 18 8b 75 1d e0 00 1f f3 d8 47 ab 08 00
Destination: 00:18:8b:75:1d:e0 (Dell_75:1d:e0)
Source:00:1f:f3:d8:47:ab (Apple_d8:47:ab)
Type: 0x0800 (IP)
The header indicates the source and destination of the layer 2 endpoints. Ethernet addresses have their own structure. They are 48 bits, with the top 24 bits indicating the manufacturer of the ethernet card, and the lower 24 bits identifying the card uniquely. The top bits are called the OUI, Organization Unique Identifier. Here we see a Dell talking to an Apple.
The header also identifies the next layer up protocol. The payload is an IP packet.
Now the central feature of this note: the IP header. In it are the source and destination adddresses, and then a whole bunch of technical, detailed junk, and a code indicating what's contained in the next protocol layer up (a UDP packet).
This is IPv4
45 00 00 44 ad 0b 00 00 40 11 72 72 ac 14 02 fd ac 14 00 06
Version: 4
Header length: 5 (20 bytes)
TOS: 0x00
Total Length: 0x0044 (68 bytes)
Identification: 0xad0b
Flags and Fragments: 0x0000
TTL: 0x40 (64 hops)
Protocol: 0x11 (UDP)
Header Checksom: 0x7272
Source: 0xac1402fd (172.20.2.253)
Destination: 0xac140006 (172.20.0.6)
The transport layer is used once the packet reaches its destination. This layer directs the payload data to the application on the destination machine. It also rearranges the data, in some cases. This is a UDP packet, so nothing much complicated happens once the data reaches its destination. The port number is used to identify the applications interested in the data at the two ends of the communication channel. In this case, destination port 53 is significant, that is Well Known, and is the port on which Name Servers listen for information requests. The source port is used to route back the answer to the requesting machine.
User Datagram Protocol
e5 87 00 35 00 30 5b 6d
Source port: 0xe587 (587589, an Ephemeral port for the return data)
Destination port: 0x0035 (53, the Well Known Port for DNS)
Length: 0x0030 (48 bytes, 68 minus 20)
Checksum: 0x5b6d [incorrect, should be 0xe320 (maybe caused by "UDP checksum offload"?)]
The packet has reached the DNS software on the DNS server. It now looks at the data, unpacks it according the the protocol specification of DNS, and tries to send back an answer. UDP is a good protocol for DNS. UDP is a best-effort delivery service, with very few guarentees for quality of delivery. If the requesting host gets no answer after a certain amount of time, it requests again, either to the same or perhaps an alternate DNS server.
Domain Name System (query)
ab c9 01 00 00 01 00 00 00 00 00 00 09 6d 63 63 mcc
6c 65 6c 6c 61 6e 02 63 73 05 6d 69 61 6d 69 03 lellan cs miami
65 64 75 00 00 01 00 01 edu
[Response In: 20]
Transaction ID: 0xabc9
Flags: 0x0100 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable
Questions: 0x0001
Answer RRs: 0x0000
Authority RRs: 0x0000
Additional RRs: 0x0000
Queries
mcclellan.cs.miami.edu: type A, class IN
Name: mcclellan.cs.miami.edu
Type: A (Host address) 0x0001
Class: IN (0x0001)
Note encoding of mcclellan.cs.miami.edu,
0x09 (for 9 letters) mcclellan
0x02 (for 2 letters) cs
0x05 (for 5 letters) miami
0x03 (for 3 letters) edu
0x00 (to end)
Here is the response from the name server to the client machine. Try to find the levels, and parse each level. You should have no trouble with levels 2, 3 and 4. The application level might require guesswork or research.
0000 00 1f f3 d8 47 ab 00 18 8b 75 1d e0 08 00 45 00 ....G....u....E. 0010 00 86 d7 f6 00 00 40 11 47 45 ac 14 00 06 ac 14 ......@.GE...... 0020 02 fd 00 35 e5 87 00 72 39 29 ab c9 85 80 00 01 ...5...r9)...... 0030 00 01 00 02 00 01 09 6d 63 63 6c 65 6c 6c 61 6e .......mcclellan 0040 02 63 73 05 6d 69 61 6d 69 03 65 64 75 00 00 01 .cs.miami.edu... 0050 00 01 c0 0c 00 01 00 01 00 00 0e 10 00 04 ac 14 ................ 0060 00 06 c0 16 00 02 00 01 00 00 0e 10 00 08 05 64 ...............d 0070 61 76 69 73 c0 16 c0 16 00 02 00 01 00 00 0e 10 avis............ 0080 00 02 c0 0c c0 44 00 01 00 01 00 01 51 80 00 04 .....D......Q... 0090 ac 13 00 03 ....