0

How can I verify, when I parse a packet, whether the IP address for the packet is one from a specific DNS name that for has many IP's listed (i.e. this DNS name does a round robin type approach & is acting as the main company proxy server DNS name - however it hands off to one of many actual proxy servers in real time)

Thanks

GregH
  • 245
  • 3
  • 13

2 Answers2

1

This is not going to be possible at the Layer 3/4 level. It is possible that the packet payload may contain the DNS name that, but that depends on the application (e.g. HTTP replies contain a HOST field, but this is only in the header - additional packets will not contain the information).

Doug Luxem
  • 9,612
  • 7
  • 50
  • 80
  • thanks - no other ideas then re how to distinguish internet bound (i.e. via proxy) traffic packets from internal traffic (note in a large internal network with multiple sub-domains)? – GregH Aug 16 '10 at 11:53
1

Well I suppose you are doing it on a script or program, but if you can use the dig tool you can check all the IP address listed for a name:

# dig  www.google.com +short
www.l.google.com.
74.125.67.99
74.125.67.106
74.125.67.104
74.125.67.103
74.125.67.147
74.125.67.105

I suppose you can get it using a function or method in your preferred language.

coredump
  • 12,713
  • 2
  • 36
  • 56
  • @coredump - this would be great if it worked and worked consistently. When I run the same dig command against google, interestingly enough, I only get one result which is curious. Do you know how robust this approach would be? Would it work with all DNS servers for example (i.e. would DNS servers typically respect providing back the full list of IPs?). – GregH Aug 16 '10 at 11:56
  • Probably because Google uses some kind of geographic load balancing. Maybe in my country it answers with a certain list of IPs, while in other countries it answers with another list. That will happen with Akamai or other CDN services as well, AFAIK. About it working with other DNS servers, if they follow the DNS spec they will answer the full list. – coredump Aug 16 '10 at 14:57
  • unfortunately doesn't seem to work on our DNS server - just hands back one – GregH Aug 16 '10 at 23:49
  • If it's an internal thing, maybe you can do a zone transfer from the server and check it against the result? – coredump Aug 17 '10 at 02:46
  • @coredump - I'm not familiar with "zone transfer", however would I be right in saying it would require some level admin access to the company DNS? (i.e. as this would not be the case for my scenario). In which case would this mean there's no robust way to get the full list of IP's then? thanks again – GregH Aug 17 '10 at 23:51
  • Zone transfer requires the permission to do so from the DNS server, so it requires some admin work. And if dig is not getting it, I think that the answer to your question is yes. You can check if the language you are using can do something different, but I doubt it. C# has a library/module called Dns that has some tools. – coredump Aug 18 '10 at 00:34