See https://www.gasmi.net/hpd online packet decoder –Need help w/ dns response

magrw2066 · Mar 8, 2018, 5:41 PM

Hello!
My pfsense hardware problem is the hardware section(sg4680).
But I want to generate dns responses on raspberry pi linux to test my firewall but finding dns response packet dumps(even on serverfault) has become extremely difficult!
*****I added the https://www.gasmi.net/hpd link to generate my desired dns response packets (possibly) *****
Example basic response(raspberry only has host cmd for dns and it says my response is malformed):
+00: <two byte="" serial="" id=""><0x8000:response packet w/ 0 rc>
+04: 0x0001 0x0001 0x0000 0x0000(end of 12 byte header)
+12: byte-length-of-label label byte-length-of-label label 0x00
qtype:0x0001 qclass:0x0001
byte-length-of-label label byte-length-of-label label 0x00
qtype:0x0001 qclass:0x0001
unsigned-int: time-to-live
byte-length-of-address(4) 4-byte-internet-address

Suggestions?
Thx in advance,
magrw2066

.</two>

johnpoz · Mar 8, 2018, 1:27 PM

I have a sg460 running unbound, and a bunch of raspberry pi's - what are you trying to query for exactly?

You do know you can install dig vs having to use host on your pi right? I take it your just running raspian?

magrw2066 · Mar 8, 2018, 3:21 PM

Hello!
Host on raspberry pi says the following dns response byte array sent is malformed. Sample correct ipv4 response tcpdump packet dumps are welcome.
Sample dns response reported by(python) pprint of my output byte array:
'l\x85\x80\x00\x00\x01\x00\x01\x00\x00\x00\x00\x06xsdifsd\x03com\x00\x00\x01\x00\x01x06xsdifsd\x03com\x00\x00\x01\x00\x01\x00\x00\x00D\x04\n\x03\x03\x03'
The \x00\x01\x00\x01 sequences are the dns qtype and qclass words. Qclass 0x001 means internet and qtype 0x0001 means ipv4 address text address label.
The labels(readable text) are prefixed by a length byte and end when the length byte is zero.
The \x00\x00\x00D near the end is the time-to-live and \n is 0x0a field qtype meaning binary ipv4 address
Sincerely,
magrw2066

johnpoz · Mar 8, 2018, 3:53 PM

Where does it say that?? Here is host query from my PI…

pi@pi3-ntp:~ $ host sg4860.local.lan
sg4860.local.lan has address 192.168.9.253
pi@pi3-ntp:~ $

magrw2066 · Mar 8, 2018, 4:19 PM

The dns response is being generated by a python program I found to emulate a dns server. Jimmy Kane at github has something similar. 'uname -a' on my raspberry pi says "4.4.50-v7+ #970.. Feb 20 19:18:20th GMT 2017 …"

johnpoz · Mar 8, 2018, 4:28 PM

So some python program is not working… What does that have to do with pfsense or unbound? Or forwarder or even the bind package on pfsense?

I would suggest you get with who wrote whatever script, etc.

What exactly are you wanting to test your firewall for.. Maybe if we come at your problem from that direction..

magrw2066 · Mar 8, 2018, 4:41 PM

I was using the script to test firewalls in general.
I was just looking for a tcpdump of a valid dns response.
A dump of a VALID DNS RESPONSE PACKET (50 measly bytes). That's all.
I tried helping two other people to compensate. Yes slightly off topic but serverfault was nearly barren?!?!
Sincerely,
magrw2066

magrw2066 · Mar 8, 2018, 5:37 PM

@magrw2066:

Hello!
My pfsense hardware problem is the hardware section(sg4680).
But I want to generate dns responses on raspberry pi linux to test my firewall but finding dns response packet dumps(even on serverfault) has become extremely difficult!
*****I added the https://www.gasmi.net/hpd link to generate my desired dns response packets (possibly) *****
Example basic response(raspberry only has host cmd for dns and it says my response is malformed):
+00: <two byte="" serial="" id=""><0x8000:response packet w/ 0 rc>
+04: 0x0001 0x0001 0x0000 0x0000(end of 12 byte header)
+12: byte-length-of-label label byte-length-of-label label 0x00
qtype:0x0001 qclass:0x0001
byte-length-of-label label byte-length-of-label label 0x00
qtype:0x0001 qclass:0x0001
unsigned-int: time-to-live
byte-length-of-address(4) 4-byte-internet-address

Suggestions?
Thx in advance,
magrw2066

.</two>

johnpoz · Mar 8, 2018, 6:07 PM

you want a dump of what exactly a query for www.gasmi.net?

I for sure could give you that… But you know it would take 2 seconds to get that your self.. Just sniff on pfsense packet capture and do the query..

Sorry dude I have read over your posts multiple times and thre is not actual question or request for something.. your url you listed is not something that is valid to query for... If you want query for www.gasmi.net see attached..

I did a host www.gasmi.net, sniffed it on pfsense interface pi is connected too.. here you go.

My pi is 192.168.3.32 in the sniff, while pfsense is 192.168.3.253

The only thing in the sniff is the query and answer traffic UDP 53.

Here is that pcap on the website you gave
https://www.gasmi.net/hpd/?fid=58a3f4ba71c07e12ee5e792b6d11560c

query_www_gasmi_net.pcap