3

Wanted to ask a question: How is it possible to derive IP address from querying a DNS Node in Reverse Lookup Zone with LDAP? To be more precise, I want to show you what I've been trying to achieve:

Properties of DNSNode

In the picture above we see the properties of a DNS Node that were retrieved by running LDAP Query. Is this possible to derive the IP Address of the node from the 'dnsrecord' property somehow (for example, using some .NET function) without manipulating strings in 'distinguishedname', 'name','dc' properties to achieve the same goal?

Thanks!

user3191591
  • 31
  • 1
  • I've recently had some success cobbling together a solution for this specific problem using the information I found in a question on StackOverflow - [Marshal.PtrToStructure (and back again) and generic solution for endianness swapping](https://stackoverflow.com/q/2623761/2569697). If you have some programming experience, you might find it helpful. – G_Hosa_Phat Aug 24 '21 at 18:59

1 Answers1

2

dsnRecord is a byte array.

An example of the data structure is in the following DNSShell PowerShell module. They don't provide a PTR record per se, but you can probably figure out the difference using some of the other examples. Note that TtlSeconds is big-endian byte order.

https://archive.codeplex.com/?p=dnsshell

/// <summary>
/// https://msdn.microsoft.com/en-us/library/ee898781.aspx
/// The dnsRecord attribute is used to store DNS resource record definitions. This attribute MUST be formatted as follows:
/// 
/// DataLength (2 bytes): An unsigned binary integer containing the length, in bytes, of the Data field.
/// Type (2 bytes): The resource record's type. See DNS_RECORD_TYPE (section 2.2.2.1.1).
/// Version (1 byte): The version number associated with the resource record attribute. The value MUST be 0x05.
/// Rank (1 byte): The least-significant byte of one of the RANK* flag values. See dwFlags (section 2.2.2.2.5).
/// Flags (2 bytes): Not used. The value MUST be 0x0000.
/// Serial (4 bytes): The serial number of the SOA record of the zone containing this resource record. See DNS_RPC_RECORD_SOA (section 2.2.2.2.4.3).
/// TtlSeconds (4 bytes): See dwTtlSeconds (section 2.2.2.2.5). This field uses big-endian byte order.
/// Reserved (4 bytes): This field is reserved for future use. The value MUST be 0x00000000.
/// TimeStamp (4 bytes): See dwTimeStamp (section 2.2.2.2.5).
/// Data (variable): The resource record's data. See DNS_RPC_RECORD_DATA (section 2.2.2.2.4).
/// </summary>
/// <example>
///                                 1  1  1  1  1  1
///   0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  |                 DATA LENGTH                   |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  |                      TYPE                     |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  |        VERSION        |         RANK          |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  |                     FLAGS                     |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  |                     SERIAL                    |
///  |                                               |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  |                  TTLSECONDS                   |
///  |                                               |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  |                    RESERVED                   |
///  |                                               |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  |                   TIMESTAMP                   |
///  |                                               |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
///  |                     DATA                      |
///  |                                               |
///  +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
///  </example>
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Do you happen to know anything about the `Data` section of the byte array? I've tried to read a string value from there (UTF-8, as per the documentation), but some of the bytes just don't make sense. – G_Hosa_Phat Aug 24 '21 at 19:03
  • 1
    @G_Hosa_Phat: It's an RFC compliant data block. Some of the bytes have different endianness. It also depends on the record type. You can view some details here: https://github.com/indented-automation/DnsShell/tree/master/src/ActiveDirectory/RecordTypes – Greg Askew Aug 24 '21 at 21:00
  • Thank you for that. I got most of my record information parsed correctly, but the data values for the `NS` and `CNAME` records I've tested aren't what I was expecting. I'll go take a look through that code and see if I can figure out where I screwed up. – G_Hosa_Phat Aug 24 '21 at 21:59