DNS query 原理

spyhjl

本文主要基于SOCK_RAW套接字的简单代码来展示DNS的query过程：

1. #include <stdio.h>
   
2. #include <linux/udp.h>
   
3. #include <sys/types.h>
   
4. #include <sys/socket.h>
   
5. #include <netinet/in.h>
   
6. #include <netinet/ip.h>
   
7. #include <arpa/inet.h>
   
8. #include <stdlib.h>
   
9. #include <time.h>
   
10. #include <unistd.h>
    
11. #include <string.h>
    
12. #include <stdlib.h>
    
13. #include <error.h>
    
14. 
    
15. #define ATTACK_PORT 53
    
16. #define NAME_LENTH 13
    
17. static char default_gw[13] = "172.16.0.254";
    
18. 
    
19. typedef struct{
    
20.     short id;
    
21.     short flag;
    
22.     short question_num;
    
23.     short rr_num;
    
24.     short anthority_num;
    
25.     short additional_rr;
    
26. }dns_header_t;
    
27. 
    
28. typedef struct{
    
29.     char name[NAME_LENTH + 1];
    
30.     short type;
    
31.     short class;
    
32. }dns_query_t;
    
33. 
    
34. typedef struct {
    
35.     struct udphdr udp_header;
    
36.     dns_header_t dns_header;
    
37.     dns_query_t dns_query;
    
38. }dns_t;
    
39. 
    
40. static int raw_socket_init(int *sockfd, void *s)
    
41. {
    
42.     int on = 1;
    
43.     int rawfd;
    
44.     struct sockaddr_in *ser = (struct sockaddr_in *)s;
    
45. 
    
46.     setuid(getuid());
    
47.     if((rawfd = socket(AF_INET, SOCK_RAW, IPPROTO_UDP)) < 0){
    
48.         perror("socket fail");
    
49.         exit(1);
    
50.     }
    
51. 
    
52.     *sockfd = rawfd;
    
53.     setsockopt(rawfd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on));
    
54.     
    
55.     memset(ser, 0, sizeof(*ser));
    
56.     ser->sin_family = AF_INET;
    
57.     ser->sin_port = htons(ATTACK_PORT);
    
58.     ser->sin_addr.s_addr = inet_addr("172.16.0.254");
    
59. 
    
60.     return 0;
    
61. }
    
62. static int ip_init(void *ipp)
    
63. {
    
64.     struct iphdr *ip = ipp;
    
65. 
    
66.     ip->version = IPVERSION;
    
67.     ip->ihl = sizeof(struct ip) >> 2;
    
68.     ip->tos = 0;
    
69.     ip->tot_len = sizeof(struct ip) + sizeof(dns_t);
    
70.     ip->id = 0;
    
71.     ip->frag_off = 0;
    
72.     ip->ttl = MAXTTL;
    
73.     ip->protocol = IPPROTO_UDP;
    
74.     ip->check = 0;
    
75.     //inet_pton(AF_INET, "172.16.0.254", (void*)&ip->daddr);
    
76.     inet_pton(AF_INET, default_gw, (void*)&ip->daddr);
    
77.     
    
78.     return 0;
    
79. }
    
80. 
    
81. static int dns_init(dns_t *dns)
    
82. {
    
83.     char name[] = {0x03,'w','w','w',0x04,'a','d','i','d',0x03,'c','o','m','\0'};
    
84.     dns->udp_header.source = htons(8888);
    
85.     dns->udp_header.dest = htons(53);
    
86.     dns->udp_header.len = htons(sizeof(dns_t));
    
87.     dns->udp_header.check = 0;
    
88. 
    
89.     dns->dns_header.id = 0x0001;
    
90.     dns->dns_header.flag = htons(0x0100);
    
91.     dns->dns_header.question_num = htons(1);
    
92.     dns->dns_header.rr_num = 0;
    
93.     dns->dns_header.anthority_num = 0;
    
94.     dns->dns_header.additional_rr = 0;
    
95.     
    
96.     memcpy(dns->dns_query.name, name, sizeof(name));
    
97.     dns->dns_query.type = htons(1);
    
98.     dns->dns_query.class = htons(1);
    
99. 
    
100.     return 0;
     
101. }
     
102. 
     
103. static char * dns_databuf_init(void)
     
104. {
     
105.     char *data_buf = NULL;
     
106.     struct iphdr *ip;
     
107.     dns_t *dns;
     
108. 
     
109.     if((data_buf = malloc(sizeof(dns_t) +
     
110.                     sizeof(*ip))) == NULL){
     
111.         free(data_buf);
     
112.         perror("malloc");
     
113.         return NULL;
     
114.     }
     
115. 
     
116.     ip = (struct iphdr *)data_buf;
     
117.     ip_init(ip);
     
118.     dns = (dns_t *)(data_buf + sizeof(*ip));
     
119.     dns_init(dns);
     
120. 
     
121.     return data_buf;
     
122. }
     
123. 
     
124. static int send_dns_query(int rawfd,
     
125.         char *databuf, int lenth, void *addr)
     
126. {
     
127.     struct sockaddr_in *skaddr = addr;
     
128.     srand(time(NULL));
     
129. 
     
130.     sendto(rawfd, databuf, lenth, 0,
     
131.                 (struct sockaddr *)skaddr, sizeof(*skaddr));
     
132.   
     
133.     return 0;
     
134. }
     
135. 
     
136. static int help_info(void)
     
137. {
     
138.     fprintf(stdout, "dns usage:\n");
     
139.     fprintf(stdout, "./dns [-gw gateway] [--help]\n");
     
140. 
     
141.     return 0;
     
142. }
     
143. 
     
144. static int param_input(int argnum, char **arg)
     
145. {
     
146.     int i;
     
147. 
     
148.     if(1 == argnum){
     
149.         fprintf(stderr, "input err: without dest gateway ipaddr\n");
     
150.         help_info();
     
151.         exit(1);
     
152.     }
     
153. 
     
154.     for(i = 1; i < argnum; i++){
     
155.         if(strcmp(arg[i], "-gw") == 0){
     
156.             i++;
     
157.             if(i >= argnum || 12 < strlen(arg[i])){
     
158.                 help_info();
     
159.                 exit(1);
     
160.             }
     
161.             memset(default_gw, '\0', sizeof(default_gw));
     
162.             strncpy(default_gw, arg[i], strlen(arg[i]));
     
163.         }else if(strcmp(arg[i], "--help") == 0){
     
164.             help_info();
     
165.             exit(0);
     
166.         }else{
     
167.             help_info();
     
168.             exit(1);
     
169.         }
     
170.     }
     
171. 
     
172.     return 0;
     
173. }
     
174. 
     
175. int main(int argc, char *argv[])
     
176. {
     
177.     int rawfd;
     
178.     int data_len;
     
179.     struct sockaddr_in ser;
     
180.     char *data_buf;
     
181.     
     
182.     param_input(argc, argv);
     
183.     //printf("gateway:%s\n", default_gw);
     
184. 
     
185.     /* create raw socket and init dest addr */
     
186.     raw_socket_init(&rawfd, (void*)&ser);
     
187. 
     
188.     /* create and init data send buffer */
     
189.     if((data_buf = dns_databuf_init()) == NULL){
     
190.         perror("dns_databuf_ini");
     
191.         exit(1);
     
192.     }
     
193.     
     
194.     /* send manual buffer data to the dest server with the raw socket */
     
195.     data_len = sizeof(dns_t) + sizeof(struct iphdr);
     
196.     
     
197.     send_dns_query(rawfd, data_buf, data_len, (void*)&ser);
     
198.     
     
199.     free(data_buf);
     
200.     return 0;
     
201. }

基于dns的数据包与格式的原理通过wireshark的转包截图图下：
 
通过上面的原理图，很容易理解上述的基于DNS的代码原理，当然这只是简单的一个小示例，我想其他的网络数据包
的原理跟上述的思路一样，所以读者应该明白在了解各种网络协议原理的基础上，辅以相关的抓包工具，利用原始
套接字(SOCK_RAW in AF_INET or PF_INET)足以模拟制作各种网络报文了。