為著方便讀者先窺 Scapy 全豹,免迷失於使用手冊裡的規範森林、指令汪洋,茲以『域名系統』 DNS 為例︰
Domain Name System
The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most prominently, it translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. By providing a worldwide, distributed directory service, the Domain Name System has been an essential component of the functionality of the Internet since 1985.
The Domain Name System delegates the responsibility of assigning domain names and mapping those names to Internet resources by designating authoritative name servers for each domain. Network administrators may delegate authority over sub-domains of their allocated name space to other name servers. This mechanism provides distributed and fault-tolerant service and was designed to avoid a single large central database.
The Domain Name System also specifies the technical functionality of the database service that is at its core. It defines the DNS protocol, a detailed specification of the data structures and data communication exchanges used in the DNS, as part of the Internet Protocol Suite.
The Internet maintains two principal namespaces, the domain name hierarchy[1] and the Internet Protocol (IP) address spaces.[2] The Domain Name System maintains the domain name hierarchy and provides translation services between it and the address spaces. Internet name servers and a communication protocol implement the Domain Name System.[3] A DNS name server is a server that stores the DNS records for a domain; a DNS name server responds with answers to queries against its database.
The most common types of records stored in the DNS database are for Start of Authority (SOA), IP addresses (A and AAAA), SMTP mail exchangers (MX), name servers (NS), pointers for reverse DNS lookups (PTR), anddomain name aliases (CNAME). Although not intended to be a general purpose database, DNS has been expanded over time to store records for other types of data for either automatic lookups, such as DNSSEC records, or for human queries such as responsible person (RP) records. As a general purpose database, the DNS has also been used in combating unsolicited email (spam) by storing a real-time blackhole list (RBL). The DNS database is traditionally stored in a structured text file, the zone file, but other database systems are common.
The hierarchical Domain Name System for class Internet, organized into zones, each served by a name server
……
DNS message format
The DNS protocol uses two types of DNS messages, queries and replies, and they both have the same format. Each message consists of a header and four sections: question, answer, authority, and an additional space. A header field (flags) controls the content of these four sections.[1]
The header section contains the following fields: Identification, Flags, Number of questions, Number of answers, Number of authority resource records (RRs), and Number of additional RRs. The identification field can be used to match responses with queries. The flag field consists of several sub-fields. The first is a single bit which indicates if the message is a query (0) or a reply (1). The second sub-field consists of four bits indicating the type of query, or the type of query this message is a response to. 0 is a standard query, 1 an inverse query, 2 is a server status request. A single-bit sub-field indicates if the DNS server is authoritative for the queried hostname. Another single-bit sub-field indicates if the client wants to send a recursive query (“RD”). The next single-bit sub-field indicates if the replying DNS server supports recursion (“RA”), as not all DNS servers are configured to do this task. Another sub-field indicates if the message was truncated for some reason (“TC”), and a four-bit sub-field is used for error codes. The question section contains the domain name and type of record (A, AAAA, MX, TXT, etc.) being resolved. The domain name is broken into discrete labels which are concatenated; each label is prefixed by the length of that label. The answer section has the resource records of the queried name. A domain name may occur in multiple records if it has multiple IP addresses associated.[24]
DNS Protocol transport
DNS primarily uses the User Datagram Protocol (UDP) on port number 53 to serve requests.[3] DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. When the length of the answer exceeds 512 bytes and both client and server support EDNS, larger UDP packets are used. Otherwise, the query is sent again using the Transmission Control Protocol (TCP). TCP is also used for tasks such as zone transfers. Some resolver implementations use TCP for all queries.
………
一探 nslookup
NSLOOKUP(1) BIND9 NSLOOKUP(1)
NAME
nslookup - query Internet name servers interactively
SYNOPSIS
nslookup [-option] [name | -] [server]
DESCRIPTION
Nslookup is a program to query Internet domain name servers. Nslookup
has two modes: interactive and non-interactive. Interactive mode allows
the user to query name servers for information about various hosts and
domains or to print a list of hosts in a domain. Non-interactive mode
is used to print just the name and requested information for a host or
domain.
ARGUMENTS
Interactive mode is entered in the following cases:
1. when no arguments are given (the default name server will be used)
2. when the first argument is a hyphen (-) and the second argument is
the host name or Internet address of a name server.
...
root@kali:~# nslookup scapy.net Server: 5.168.168.1 Address: 5.168.168.1#53 Non-authoritative answer: Name: scapy.net Address: 104.25.115.13 Name: scapy.net Address: 104.25.114.13 Name: scapy.net Address: 2606:4700:20::6819:720d Name: scapy.net Address: 2606:4700:20::6819:730d
基本功能如何實作也☆
