CODEWITHSUNDEEP
cdnslibpcap
Amir reza Riahi
Amir reza Riahi

Reputation: 2450

How can I capture dns packets in c?

I'm writing a packet sniffer program in c. Now it can only find HTTP packets but I want to make it in a way to get also DNS packets. I know DNS packets are UDP but I don't know how to identify DNS ones. Is there a specific thing in DNS packets to check to find them? I know port 53 is default port for DNS requests, but is it a reliable way to find them?

Upvotes: 4

Views: 1142

Answers (1)

person
person

Reputation: 393

There is no good way to tell if a UDP packet contains DNS data: There is nothing in the UDP header, or IP header that directly tells you the data is DNS. However what you could do is first see if the source port in the UDP header is port 53 (DNS's standard UDP port) and second see if the data fits the data structure you're using to decode the header (most likely a struct). This is a very good question.

To fit the packet to a strcut you can use the following code:

This is the actual structure of a DNS header packet laid out in a struct in c:

#pragma pack(push, 1)
typedef struct 
{
    uint16_t id; // identification number 2b
    
    uint8_t rd : 1; // recursion desired
    uint8_t tc : 1; // truncated message
    uint8_t aa : 1; // authoritive answer
    uint8_t opcode : 4; // purpose of message
    uint8_t qr : 1; // query/response flag

    uint8_t rcode : 4; // response code
    uint8_t cd : 1; // checking disabled
    uint8_t ad : 1; // authenticated data
    uint8_t z : 1; // its z! reserved
    uint8_t ra : 1; // recursion available 4b

    uint16_t q_count; // number of question entries 6b
    uint16_t ans_count; // number of answer entries 8b
    uint16_t auth_count; // number of authority entries 10b
    uint16_t add_count; // number of resource entries 12b
}Dns_Header, *Dns_Header_P;
#pragma pack(pop)

To test this you can do this:

Dns_Header_P header = (Dns_Header_P)capture;

capture being a byte array with you DNS header.

Depending on how you're capturing the packets and how you're storing them you might need to change the endianness of the struct. If you test this with your program and it doesn't seem to have the right data or the data is switched around let me know.

Upvotes: 3

Related Questions