2. DNS, the Domain Name System, is the Internet’s distributed
database which maps the names used by users of the web -
www.yahoo.com- to the corresponding IP address.
3. 1
2
3
4
5
6
7
Local DNS Cache
ISP Recursive DNS
Server
Root Nameservers
TLD Nameservers
Authoritative DNS
servers
Retrieve the record
Receive the
answer
4. DNS port is 53.
Any DNS message should have the number 53 as
the port number as either Source or Destination.
Fist message sent in any DNS exchange should
be query. And it should be sent to server.
The header size is 12 bytes.
5. It receives UDP packets with port 53 as Destination portInternal DNS
• If UDP source port 53 replies are seen coming form the same node back to the IP address which
sent the query, then it’s almost certain that the node is Server.
The traffic exchange should be balanced.Traffic Exchange
• It’s an important characteristic of DNS traffic that if message exchange occur between two IP
address, then it should balanced,( Query should occur before the Response.
6. packet size must be larger than 40 bytes if DNS Q/R included.Packet size
• TCP requires minimum 20 bytes for header info.
UDP header 8 bytes.
DNS header 12 bytes.
Response are not expected to be bigger than the query.Response Size
• Response size is not that big because it’s only send the IP address.
It include the same domain name along with the corresponding IP address, which is 4 bytes long
Details
7. Methodology
Capturing • Capture all data on UDP Port 53.
Matching
• Match flow to create a conversation
Conversation
Type
• Determine that the conversation Is normal or
imbalanced
Identification
Apply to rules to Identify DNS Server.