- 论坛徽章:
- 0
|
今天进行了DNS sniffer, 发现dns respond 包, 从内网取得和从外网取得的不一样, 内网取得的在以下红色标记后的都没了.
- 从内网执行nslookup 取得的query response 包:
- No. Time Source Destination Protocol Info
- 4 0.042612 202.103.224.68 192.168.1.210 DNS Standard query response A 192.168.1.5[Malformed Packet]
- Frame 4 (175 bytes on wire, 175 bytes captured)
- Arrival Time: Apr 11, 2008 16:40:31.797477000
- [Time delta from previous captured frame: 0.020654000 seconds]
- [Time delta from previous displayed frame: 0.020654000 seconds]
- [Time since reference or first frame: 0.042612000 seconds]
- Frame Number: 4
- Frame Length: 175 bytes
- Capture Length: 175 bytes
- [Frame is marked: False]
- [Protocols in frame: eth:ip:udp:dns]
- [Coloring Rule Name: UDP]
- [Coloring Rule String: udp]
- Ethernet II, Src: HuaweiTe_1c:55:2e (HuaweiTe_1c:55:2e), Dst: Dell_11:23:54 (00:15:c5:11:23:54)
- Destination: Dell_11:23:54 (00:15:c5:11:23:54)
- Address: Dell_11:23:54 (00:15:c5:11:23:54)
- .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
- .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
- Source: HuaweiTe_1c:55:2e (HuaweiTe_1c:55:2e)
- Address: HuaweiTe_1c:55:2e (HuaweiTe_1c:55:2e)
- .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
- .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
- Type: IP (0x0800)
- Internet Protocol, Src: 202.103.224.68 (202.103.224.68), Dst: 192.168.1.210 (192.168.1.210)
- Version: 4
- Header length: 20 bytes
- Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
- 0000 00.. = Differentiated Services Codepoint: Default (0x00)
- .... ..0. = ECN-Capable Transport (ECT): 0
- .... ...0 = ECN-CE: 0
- Total Length: 161
- Identification: 0x44bd (17597)
- Flags: 0x04 (Don't Fragment)
- 0... = Reserved bit: Not set
- .1.. = Don't fragment: Set
- ..0. = More fragments: Not set
- Fragment offset: 0
- Time to live: 244
- Protocol: UDP (0x11)
- Header checksum: 0x07ac [correct]
- [Good: True]
- [Bad : False]
- Source: 202.103.224.68 (202.103.224.68)
- Destination: 192.168.1.210 (192.168.1.210)
- User Datagram Protocol, Src Port: domain (53), Dst Port: edm-mgr-sync (3464)
- Source port: domain (53)
- Destination port: edm-mgr-sync (3464)
- Length: 141
- Checksum: 0xa01e [correct]
- [Good Checksum: True]
- [Bad Checksum: False]
- Domain Name System (response)
- [Request In: 3]
- [Time: 0.020654000 seconds]
- Transaction ID: 0x0002
- Flags: 0x8180 (Standard query response, No error)
- 1... .... .... .... = Response: Message is a response
- .000 0... .... .... = Opcode: Standard query (0)
- .... .0.. .... .... = Authoritative: Server is not an authority for domain
- .... ..0. .... .... = Truncated: Message is not truncated
- .... ...1 .... .... = Recursion desired: Do query recursively
- .... .... 1... .... = Recursion available: Server can do recursive queries
- .... .... .0.. .... = Z: reserved (0)
- .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
- .... .... .... 0000 = Reply code: No error (0)
- Questions: 1
- Answer RRs: 1
- Authority RRs: 2
- Additional RRs: 2
- Queries
- [url]www.abc.com:[/url] type A, class IN
- Name: [url]www.abc.com[/url]
- Type: A (Host address)
- Class: IN (0x0001)
- Answers
- [url]www.abc.com:[/url] type A, class IN, addr 192.168.1.5
- Name: [url]www.abc.com[/url]
- Type: A (Host address)
- Class: IN (0x0001)
- Time to live: 1 hour, 41 minutes, 46 seconds
- Data length: 4
- Addr: 192.168.1.5 <--------此处发现NAT已经把域名指向内网IP了, 但此后的数据就没了,
- Authoritative nameservers
- [Malformed Packet: DNS]
- ADSL上网从外网取得的query response 包:
- No. Time Source Destination Protocol Info
- 7 2.962351 192.168.0.1 192.168.0.102 DNS Standard query response A 202.104.55.18
- Frame 7 (175 bytes on wire, 175 bytes captured)
- Arrival Time: Apr 11, 2008 16:37:41.408683000
- [Time delta from previous captured frame: 0.718414000 seconds]
- [Time delta from previous displayed frame: 0.718414000 seconds]
- [Time since reference or first frame: 2.962351000 seconds]
- Frame Number: 7
- Frame Length: 175 bytes
- Capture Length: 175 bytes
- [Frame is marked: False]
- [Protocols in frame: eth:ip:udp:dns]
- [Coloring Rule Name: UDP]
- [Coloring Rule String: udp]
- Ethernet II, Src: 00:00:00_00:00:00 (00:00:00:00:00:00), Dst: 80:00:60:0f:e8:00 (80:00:60:0f:e8:00)
- Destination: 80:00:60:0f:e8:00 (80:00:60:0f:e8:00)
- Address: 80:00:60:0f:e8:00 (80:00:60:0f:e8:00)
- .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
- .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
- Source: 00:00:00_00:00:00 (00:00:00:00:00:00)
- Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
- .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
- .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
- Type: IP (0x0800)
- Internet Protocol, Src: 192.168.0.1 (192.168.0.1), Dst: 192.168.0.102 (192.168.0.102)
- Version: 4
- Header length: 20 bytes
- Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
- 0000 00.. = Differentiated Services Codepoint: Default (0x00)
- .... ..0. = ECN-Capable Transport (ECT): 0
- .... ...0 = ECN-CE: 0
- Total Length: 161
- Identification: 0x01ed (493)
- Flags: 0x00
- 0... = Reserved bit: Not set
- .0.. = Don't fragment: Not set
- ..0. = More fragments: Not set
- Fragment offset: 0
- Time to live: 128
- Protocol: UDP (0x11)
- Header checksum: 0xb6a7 [correct]
- [Good: True]
- [Bad : False]
- Source: 192.168.0.1 (192.168.0.1)
- Destination: 192.168.0.102 (192.168.0.102)
- User Datagram Protocol, Src Port: domain (53), Dst Port: ndl-als (3431)
- Source port: domain (53)
- Destination port: ndl-als (3431)
- Length: 141
- Checksum: 0xb7ed [correct]
- [Good Checksum: True]
- [Bad Checksum: False]
- Domain Name System (response)
- [Request In: 6]
- [Time: 0.718414000 seconds]
- Transaction ID: 0x0002
- Flags: 0x8180 (Standard query response, No error)
- 1... .... .... .... = Response: Message is a response
- .000 0... .... .... = Opcode: Standard query (0)
- .... .0.. .... .... = Authoritative: Server is not an authority for domain
- .... ..0. .... .... = Truncated: Message is not truncated
- .... ...1 .... .... = Recursion desired: Do query recursively
- .... .... 1... .... = Recursion available: Server can do recursive queries
- .... .... .0.. .... = Z: reserved (0)
- .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
- .... .... .... 0000 = Reply code: No error (0)
- Questions: 1
- Answer RRs: 1
- Authority RRs: 2
- Additional RRs: 2
- Queries
- [url]www.abc.com:[/url] type A, class IN
- Name: [url]www.abc.com[/url]
- Type: A (Host address)
- Class: IN (0x0001)
- Answers
- [url]www.abc.com:[/url] type A, class IN, addr 202.104.55.18
- Name: [url]www.abc.com[/url]
- Type: A (Host address)
- Class: IN (0x0001)
- Time to live: 3 hours
- Data length: 4
- Addr: 202.104.55.18 <----------------在外网访问, 把域名指向外网IP
- Authoritative nameservers
- abc.com: type NS, class IN, ns ns.gxnnptt.net.cn
- Name: abc.com
- Type: NS (Authoritative name server)
- Class: IN (0x0001)
- Time to live: 2 hours, 43 minutes, 31 seconds
- Data length: 13
- Name server: ns.gxnnptt.net.cn
- abc.com: type NS, class IN, ns ns.lzptt.gx.cn
- Name: abc.com
- Type: NS (Authoritative name server)
- Class: IN (0x0001)
- Time to live: 2 hours, 43 minutes, 31 seconds
- Data length: 14
- Name server: ns.lzptt.gx.cn
- Additional records
- ns.lzptt.gx.cn: type A, class IN, addr 202.103.225.70
- Name: ns.lzptt.gx.cn
- Type: A (Host address)
- Class: IN (0x0001)
- Time to live: 32 minutes, 42 seconds
- Data length: 4
- Addr: 202.103.225.70
- ns.gxnnptt.net.cn: type A, class IN, addr 202.104.55.18
- Name: ns.gxnnptt.net.cn
- Type: A (Host address)
- Class: IN (0x0001)
- Time to live: 2 hours, 36 minutes, 21 seconds
- Data length: 4
- Addr: 202.104.55.18
复制代码
[ 本帖最后由 Bsdder 于 2008-4-12 12:23 编辑 ] |
|