Writeup: DNS Packet Challenge
By: Max Friedrich
Note: I am heavily leveraging Cyberchef in this writeup. Please play around with it if you have nto already, it is brilliant.
In the worksheet put together for a workshop on encryption and encoding, we included a hex string of a DNS packet. See the worksheet here.
4E 18 EF 99 80 2D 67 8A 59 21 A0 5F 08 00 45 00
00 3B 00 01 00 00 40 11 A1 F8 90 20 80 73 01 01
01 01 61 7D 00 35 00 27 40 00 00 00 01 00 00 01
00 00 00 00 00 00 06 73 65 6E 61 74 65 03 67 6F
76 02 72 68 00 00 01 00 01
Most people struggled with this challenge, so I decided to write a writeup for it.
First Impressions
The first thing you might notice, is that it is a hex string. If you decode it you will see the string senate□gov□rh.
This looks like a domain name. (In case you are wondering, rh is not a real top level domain, in fact, we used
specifically because of this.)
A domain not seperated by non-printable characters most commonly appears in DNS packets. In fact, if you use the “from hex” function in Cyberchef, and then used the “detect file type” function, you will see that it is a UDP packet.
Network Packets
This is a good point to explain a few bits about network packets. Most of the time, network packets use “layers” to describe different properties of the packet. Most of the time, we use the TCP/IP stack, which looks like this:
| Layer | Name | Example Protocol(s) |
|---|---|---|
| 5 | Application | HTTP, DNS |
| 4 | Transport | TCP, UDP |
| 3 | Internet | IPv4 |
| 2 | Link | Ethernet |
| 1 | Physical | Copper Cable |
(Click on the links to learn more about the protocols).
The most common packet structure for DNS packets is the following:
{Eathernet Header}{IPv4 Header}{UDP Header}{DNS Header}{DNS Data}
For an example of a DNS packet as a hex string, see the hex string above from the question.
Decoding the Packet
Each protocol header has a defined layout. Additionally, each one either has a known fixed length, or a length field at the start of the header.
The question asks for three bits of information:
- “More information at” - the domain name.
- IP address of the sender
- The location of the sender - You can get this from the IP address using a website such as this.
To answer 2 and 3, we need the IP source address from the IPv4 header. To find the start of the IPV4 header, we need to find the end of the Ethernet header. The Ethernet header is 14 bytes long, so the start of the IPV4 header is at byte 14.
So, the ethernet header is:
4E 18 EF 99 80 2D 67 8A 59 21 A0 5F 08 00
An IPv4 Header takes the format:
So the source IP address is at bytes 12-15. The source IP address is 90 20 80 73 this can be converted to
dotted decimal notation(DDN) such as 192.168.1.25.
Cyberchef can do this using the function “Change ip format”.