CODEWITHSUNDEEP
pythondnsdig
Anton
Anton

Reputation: 1079

Why DNS responses differents?

I have code in python.

from dns import message, query, flags, rdatatype

q = message.make_query("bancontact.node1.web1.prod.kunstmaan.com", rdatatype.NS, want_dnssec=True)
q.flags |= flags.AD
res = query.udp(q, "170.252.72.92")

and dig query

dig bancontact.node1.web1.prod.kunstmaan.com ns  @170.252.72.92

I check with Wireshark that queries are equals:

This query from python:

0000   4c 17 eb fe 74 00 f0 18 98 74 f9 be 08 00 45 00   L...t....t....E.
0010   00 61 2b 0d 00 00 40 11 9a 71 c0 a8 01 0d aa fc   [email protected]......
0020   48 5c d0 42 00 35 00 4d 18 59 7d 2a 01 20 00 01   H\.B.5.M.Y}*. ..
0030   00 00 00 00 00 01 0a 62 61 6e 63 6f 6e 74 61 63   .......bancontac
0040   74 05 6e 6f 64 65 31 04 77 65 62 31 04 70 72 6f   t.node1.web1.pro
0050   64 09 6b 75 6e 73 74 6d 61 61 6e 03 63 6f 6d 00   d.kunstmaan.com.
0060   00 02 00 01 00 00 29 05 00 00 00 80 00 00 00      ......)........

This from dig

0000   4c 17 eb fe 74 00 f0 18 98 74 f9 be 08 00 45 00   L...t....t....E.
0010   00 61 c8 9b 00 00 40 11 fc e2 c0 a8 01 0d aa fc   .a....@.........
0020   48 5c d4 49 00 35 00 4d 45 f3 4b fe 01 20 00 01   H\.I.5.ME.K.. ..
0030   00 00 00 00 00 01 0a 62 61 6e 63 6f 6e 74 61 63   .......bancontac
0040   74 05 6e 6f 64 65 31 04 77 65 62 31 04 70 72 6f   t.node1.web1.pro
0050   64 09 6b 75 6e 73 74 6d 61 61 6e 03 63 6f 6d 00   d.kunstmaan.com.
0060   00 02 00 01 00 00 29 10 00 00 00 00 00 00 00      ......)........

differences only in Identification: 2b 0d vs c8 9b, Header checksum: 9a 71 vs fc e2, Source Port: d0 42 vs d4 49 and Transaction ID: 18 59 7d 2a vs 45 f3 4b fe.

Query equals, all flags equals, but response to query from python code:

DNS 119 Standard query response 0x7d2a NS bancontact.node1.web1.prod.kunstmaan.com OPT

different from response to query from dig

DNS 205 Standard query response 0x4bfe NS bancontact.node1.web1.prod.kunstmaan.com CNAME public.node1.web1.prod.kunstmaan.com SOA amrns1501.accenture.com OPT

Can someone explain why it happened?

Thank you.

Upvotes: 1

Views: 70

Answers (1)

Dusan Bajic
Dusan Bajic

Reputation: 10899

There are two more differences between your queries:

  1. From python you have 05 00 and from dig you have 10 00 as "UDP Payload Size"
  2. From python you have set DNSSEC OK bit (80 00), from dig it is not set (00 00)

As a consequence, server can't fit the whole response (to python query) in 1280 bytes and just returns empty response.

DIG indicated that it can accept response up to 4096 bytes, and also did not request DNSSEC RRS, so the answer was provided by server (without DNSSEC it would even fit in 1280 bytes). On top of that, dig will by default retry with tcp in case it gets truncated response to the initial udp query.

This dig query should result in the same query to server and (empty) response from the server (compared to python):

dig bancontact.node1.web1.prod.kunstmaan.com ns  @170.252.72.92 +bufsize=1280 +dnssec +ignore +nocookie

Upvotes: 1

Related Questions