See https://www.gasmi.net/hpd online packet decoder –Need help w/ dns response



  • Hello!
    My pfsense hardware problem is the hardware section(sg4680).
    But I want to generate dns responses on raspberry pi linux to test my firewall but finding dns response packet dumps(even on serverfault) has become extremely difficult!
    *****I added the https://www.gasmi.net/hpd link to generate my desired dns response packets (possibly) *****
    Example basic response(raspberry only has host cmd for dns and it says my response is malformed):
    +00: <two byte="" serial="" id=""><0x8000:response packet w/ 0 rc>
    +04: 0x0001 0x0001 0x0000 0x0000(end of 12 byte header)
    +12: byte-length-of-label label byte-length-of-label label 0x00
    qtype:0x0001 qclass:0x0001
    byte-length-of-label label byte-length-of-label label 0x00 
    qtype:0x0001 qclass:0x0001
    unsigned-int: time-to-live
    byte-length-of-address(4) 4-byte-internet-address

    Suggestions?
    Thx in advance,
    magrw2066

    .</two>


  • Rebel Alliance

    I have a sg460 running unbound, and a bunch of raspberry pi's - what are you trying to query for exactly?

    You do know you can install dig vs having to use host on your pi right?  I take it your just running raspian?



  • Hello!
    Host on raspberry pi says the following dns response byte array sent is malformed. Sample correct ipv4 response tcpdump packet dumps are welcome.
    Sample dns response reported by(python) pprint of my output byte array:
    'l\x85\x80\x00\x00\x01\x00\x01\x00\x00\x00\x00\x06xsdifsd\x03com\x00\x00\x01\x00\x01x06xsdifsd\x03com\x00\x00\x01\x00\x01\x00\x00\x00D\x04\n\x03\x03\x03'
    The \x00\x01\x00\x01 sequences are the dns qtype and qclass words. Qclass 0x001 means internet and qtype 0x0001 means ipv4 address text address label.
    The labels(readable text) are prefixed by a length byte and end when the length byte is zero.
    The \x00\x00\x00D near the end is the time-to-live and \n is 0x0a field qtype meaning binary ipv4 address
    Sincerely,
    magrw2066


  • Rebel Alliance

    Where does it say that??  Here is host query from my PI…

    pi@pi3-ntp:~ $ host sg4860.local.lan
    sg4860.local.lan has address 192.168.9.253
    pi@pi3-ntp:~ $



  • The dns response is being generated by a python program I found to emulate a dns server. Jimmy Kane at github has something similar. 'uname -a' on my raspberry pi says "4.4.50-v7+ #970.. Feb 20 19:18:20th GMT 2017 …"


  • Rebel Alliance

    So some python program is not working… What does that have to do with pfsense or unbound?  Or forwarder or even the bind package on pfsense?

    I would suggest you get with who wrote whatever script, etc.

    What exactly are you wanting to test your firewall for.. Maybe if we come at your problem from that direction..



  • I was using the script to test firewalls in general.
    I was just looking for a tcpdump of a valid dns response.
    A dump of a VALID DNS RESPONSE PACKET (50 measly bytes). That's all.
    I tried helping two other people to compensate. Yes slightly off topic but serverfault was nearly barren?!?!
    Sincerely,
    magrw2066



  • @magrw2066:

    Hello!
    My pfsense hardware problem is the hardware section(sg4680).
    But I want to generate dns responses on raspberry pi linux to test my firewall but finding dns response packet dumps(even on serverfault) has become extremely difficult!
    *****I added the https://www.gasmi.net/hpd link to generate my desired dns response packets (possibly) *****
    Example basic response(raspberry only has host cmd for dns and it says my response is malformed):
    +00: <two byte="" serial="" id=""><0x8000:response packet w/ 0 rc>
    +04: 0x0001 0x0001 0x0000 0x0000(end of 12 byte header)
    +12: byte-length-of-label label byte-length-of-label label 0x00
    qtype:0x0001 qclass:0x0001
    byte-length-of-label label byte-length-of-label label 0x00 
    qtype:0x0001 qclass:0x0001
    unsigned-int: time-to-live
    byte-length-of-address(4) 4-byte-internet-address

    Suggestions?
    Thx in advance,
    magrw2066

    .</two>


  • Rebel Alliance

    you want a dump of what exactly a query for www.gasmi.net?

    I for sure could give you that… But you know it would take 2 seconds to get that your self.. Just sniff on pfsense packet capture and do the query..

    Sorry dude I have read over your posts multiple times and thre is not actual question or request for something..  your url you listed is not something that is valid to query for... If you want query for www.gasmi.net  see attached..

    I did a host www.gasmi.net, sniffed it on pfsense interface pi is connected too.. here you go.

    My pi is 192.168.3.32 in the sniff, while pfsense is 192.168.3.253

    The only thing in the sniff is the query and answer traffic UDP 53.

    Here is that pcap on the website you gave
    https://www.gasmi.net/hpd/?fid=58a3f4ba71c07e12ee5e792b6d11560c

    query_www_gasmi_net.pcap


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy