DNS Capture – The Records Edition

Some time ago I published a post called DNS Test Names & Resource Records which lists many different FQDNs with lots of different RRs. You can use those public available DNS names to test your DNS servers or the like. However, I was missing a packet capture showing all these resource records as they appear on the wire. So now, here it is. If you are searching for some packets to test your tools for whatever reason, feel free to download this pcap.

This blogpost is part of a series about DNSSEC. Refer to this list for all articles.

Some Notes

  • I was basically looking up every single hostname that I listed in this blogpost.
  • I was using “host” to query A and AAAA records simultaneously and “dig” for more specific RRs. (Yes, I could do everything with each of them. But now I have some variance in the trace as well.)
  • However, I ran into some issues with “host”. For example,  host 64aaaa.weberdns.de 2620:fe::fe was not working; error message “;; connection timed out; no servers could be reached”. Probably due to my intermediate firewall (Palo Alto Networks) or the used IPv6 Tunnel Broker?!? (I have looked up the counters on Palo Alto, but no drops. So probably due to the 6in4 tunnel broker?) Wireshark shows some “malformed DNS” packets. With dig, it was working dig 64aaaa.weberdns.de @2620:fe::fe aaaa. Anyway, I let those falsified connections in the trace as well. That’s life. ;)
  • Since I am generally more interested in IPv6 rather than legacy IP, I issued all queries via IPv6 and IPv4. This should give a wide range of different DNS packets in the trace file.
  • I was using the recursive DNS servers from Quad9, for IPv6 (2620:fe::fe) as well as for legacy IP (9.9.9.9).
  • For some reason, I had problems querying Quad9 for “RRSIG” resource records. dig @2620:fe::fe many-rrs.weberdns.de rrsig let to SERVFAIL responses in some situations, while others worked. Don’t know why as well.
  • I did not specify whether UDP or TCP shall be used. I simply let the tools decide.
  • I end up with 71 queries for each Internet Protocol, that is, 142 queries in total. ;) And since “host” queries A/AAAA/MX records for each FQDN, there are even more queries in the final trace.
  • I used a capture filter with tcpdump with only the hosts rather than “port 53” or the like to omit this reported filter issue in which IP fragments were not captured.

Download

This is the pcap as well as the PuTTY log during the requests, 7zipped, 35 kb:

Opening the trace with Wireshark you’ll find many different queries for many different RRs:

And, as already noted above, not everything worked without any problems:

DNS Queries

This is the full list of all queries. (You already have the complete session log from all queries, since it is within the download section above.)

That’s it. God bless!

Photo by Mark Solarski on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *