Dns

From l7protocols
Jump to navigation Jump to search

DNS is Domain Name System, as defined in RFC 1035 and updated by many others (see below). It is primarily used to translate between domain names and IP numbers.

MDNS is Multicast DNS. Introduced by Apple, it is used in local networks that have no centralized nameserver. The protocol is identical to DNS, it is just used differently.

Identification

Ports

DNS servers usually run on UDP port 53. MDNS servers usually run on UDP port 5353.

l7-filter

l7-filter uses the dns pattern. It is well tested.

[\x01\x02].?.?.?.?.?.?[\x01-\x3F][a-z][\x01-\x3Fa-z]*[\x02-\x06][a-z][a-z][a-z]?
[a-z]?[a-z]?[a-z]?[\x01-\x10][\x01\x03\x04\xFF]

This does not match most MDNS traffic, because it assumes that there are no more than 2 queries per packet and that it is asking for Internet-style hostnames. Mac OS X routinely sends out packets with as many as 7 queries and asks for names like "JoeTheComputer [00:0d:aa:2a:66:c7]._workstation_.local".

See also