Rien de tel que l'analyse de ce qu'il se passe sur le réseau pour comprendre les choses. La manip. proposée est la suivante:
Rappelons qu'un "sniffer" est un outil capable de capturer toutes les trames qui passent sur le réseau où est connectée l'interface choisie. Ces trames sont bien entendu capturées en binaire, peuvent être affichées en mode hexadécimal, mais le plus intéressant, c'est qu'un bon "sniffer" est capable de les interpréter et de traduire en un langage presque compréhensible (l'anglais) leur contenu. C'est sous cette forme que la capture est présentée ici.
La machine Linux qui sert de DNS tout neuf (remis à zéro) va être interrogée par un hôte du réseau privé pour trouver successivement les adresses de:
Le but espéré est de montrer:
Nous allons voir que la manipulation atteint son but.
Frame 3 (83 on wire, 83 captured)
...
Protocol: UDP (0x11)
Header checksum: 0xe655 (correct)
Source: ca-ol-marseille-12-195.abo.wanadoo.fr (213.56.59.195)
Destination: h.root-servers.net (128.63.2.53)
***C'est bien un root-server qui est contacté
User Datagram Protocol
Source port: 1029 (1029)
Destination port: domain (53)
Length: 49
Checksum: 0xfa3a
Domain Name System (query)
Transaction ID: 0x2673
Flags: 0x0000 (Standard query)
0... .... .... .... = Query
.000 0... .... .... = Standard query
.... ..0. .... .... = Message is not truncated
.... ...0 .... .... = Don't do query recursively
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
www.ac-aix-marseille.fr: type A, class inet
Name: www.ac-aix-marseille.fr
Type: Host address
Class: inet
*** Il attaque directement avec la question finale...Frame 4 (403 on wire, 403 captured)
...
Protocol: UDP (0x11)
Header checksum: 0x51e4 (correct)
Source: h.root-servers.net (128.63.2.53)
Destination: ca-ol-marseille-12-195.abo.wanadoo.fr (213.56.59.195)
User Datagram Protocol
Source port: domain (53)
Destination port: 1029 (1029)
Length: 369
Checksum: 0x8662
Domain Name System (response)
Transaction ID: 0x2673
Flags: 0x8000 (Standard query response, No error)
1... .... .... .... = Response
.000 0... .... .... = Standard query
.... .0.. .... .... = Server isn't an authority for domain
.... ..0. .... .... = Message is not truncated
.... ...0 .... .... = Don't do query recursively
.... .... 0... .... = Server can't do recursive queries
.... .... .... 0000 = No error
Questions: 1
Answer RRs: 0
Authority RRs: 8
Additional RRs: 8
Queries
www.ac-aix-marseille.fr: type A, class inet
Name: www.ac-aix-marseille.fr
Type: Host address
Class: inet
Authoritative nameservers
FR: type NS, class inet, ns DNS.CS.WISC.EDU
Name: FR
Type: Authoritative name server
Class: inet
Time to live: 2 days
Data length: 17
Name server: DNS.CS.WISC.EDU
FR: type NS, class inet, ns NS1.NIC.FR
Name: FR
Type: Authoritative name server
Class: inet
Time to live: 2 days
Data length: 10
Name server: NS1.NIC.FR
FR: type NS, class inet, ns NS3.NIC.FR
Name: FR
Type: Authoritative name server
Class: inet
Time to live: 2 days
Data length: 6
Name server: NS3.NIC.FR
FR: type NS, class inet, ns DNS.INRIA.FR
Name: FR
Type: Authoritative name server
Class: inet
Time to live: 2 days
Data length: 12
Name server: DNS.INRIA.FR
FR: type NS, class inet, ns NS2.NIC.FR
Name: FR
Type: Authoritative name server
Class: inet
Time to live: 2 days
Data length: 6
Name server: NS2.NIC.FR
FR: type NS, class inet, ns NS.EU.NET
Name: FR
Type: Authoritative name server
Class: inet
Time to live: 2 days
Data length: 11
Name server: NS.EU.NET
FR: type NS, class inet, ns DNS.PRINCETON.EDU
Name: FR
Type: Authoritative name server
Class: inet
Time to live: 2 days
Data length: 16
Name server: DNS.PRINCETON.EDU
FR: type NS, class inet, ns NS-EXT.VIX.COM
Name: FR
Type: Authoritative name server
Class: inet
Time to live: 2 days
Data length: 16
Name server: NS-EXT.VIX.COM
*** Bien entendu, il ne connaissait pas la réponse, mail il a donné une liste
*** De serveurs qui connaissent le TLD fr.
*** En prime, il nous donne leurs adresses.
Additional records
...
NS1.NIC.FR: type A, class inet, addr 192.93.0.1
...
NS3.NIC.FR: type A, class inet, addr 192.134.0.49
...
DNS.INRIA.FR: type A, class inet, addr 193.51.208.13
...
NS2.NIC.FR: type A, class inet, addr 192.93.0.4
...
NS.EU.NET: type A, class inet, addr 192.16.202.11
...
DNS.PRINCETON.EDU: type A, class inet, addr 128.112.129.15
...
NS-EXT.VIX.COM: type A, class inet, addr 204.152.184.64
...Frame 5 (83 on wire, 83 captured)
...
Protocol: UDP (0x11)
Header checksum: 0xe3ef (correct)
Source: ca-ol-marseille-12-195.abo.wanadoo.fr (213.56.59.195)
Destination: ns-ext.vix.com (204.152.184.64)
*** Notre DNS a choisi le dernier de la liste précédente
User Datagram Protocol
Source port: 1029 (1029)
Destination port: domain (53)
Length: 49
Checksum: 0xead6
Domain Name System (query)
Transaction ID: 0x3272
Flags: 0x0100 (Standard query)
0... .... .... .... = Query
.000 0... .... .... = Standard query
.... ..0. .... .... = Message is not truncated
.... ...1 .... .... = Do query recursively
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
www.ac-aix-marseille.fr: type A, class inet
Name: www.ac-aix-marseille.fr
Type: Host address
Class: inet
*** Et toujours la même question...Frame 6 (168 on wire, 168 captured)
...
Protocol: UDP (0x11)
Header checksum: 0x5a17 (correct)
Source: ns-ext.vix.com (204.152.184.64)
Destination: ca-ol-marseille-12-195.abo.wanadoo.fr (213.56.59.195)
User Datagram Protocol
Source port: domain (53)
Destination port: 1029 (1029)
Length: 134
Checksum: 0x303c
Domain Name System (response)
Transaction ID: 0x3272
Flags: 0x8100 (Standard query response, No error)
1... .... .... .... = Response
.000 0... .... .... = Standard query
.... .0.. .... .... = Server isn't an authority for domain
.... ..0. .... .... = Message is not truncated
.... ...1 .... .... = Do query recursively
.... .... 0... .... = Server can't do recursive queries
.... .... .... 0000 = No error
Questions: 1
Answer RRs: 0
Authority RRs: 2
Additional RRs: 2
Queries
www.ac-aix-marseille.fr: type A, class inet
Name: www.ac-aix-marseille.fr
Type: Host address
Class: inet
Authoritative nameservers
ac-aix-marseille.fr: type NS, class inet, ns dnse.ac-aix-marseille.fr
Name: ac-aix-marseille.fr
Type: Authoritative name server
Class: inet
Time to live: 4 days
Data length: 7
Name server: dnse.ac-aix-marseille.fr
ac-aix-marseille.fr: type NS, class inet, ns cianame.ac-clermont.fr
Name: ac-aix-marseille.fr
Type: Authoritative name server
Class: inet
Time to live: 4 days
Data length: 22
Name server: cianame.ac-clermont.fr
***Il n'y a pas de miracle...
*** On reçoit la liste des DNS qui servent le domaine ac-aix-marseille.fr
*** Comme on l'a vu dans notre recherche "à la main".
Additional records
dnse.ac-aix-marseille.fr: type A, class inet, addr 195.83.252.200
...
cianame.ac-clermont.fr: type A, class inet, addr 194.254.204.31
...Frame 7 (83 on wire, 83 captured)
...
Protocol: UDP (0x11)
Header checksum: 0xa8ab (correct)
Source: ca-ol-marseille-12-195.abo.wanadoo.fr (213.56.59.195)
Destination: dnse.ac-aix-marseille.fr (195.83.252.200)
User Datagram Protocol
Source port: 1029 (1029)
Destination port: domain (53)
Length: 49
Checksum: 0x0118
Domain Name System (query)
Transaction ID: 0xe1ed
Flags: 0x0000 (Standard query)
0... .... .... .... = Query
.000 0... .... .... = Standard query
.... ..0. .... .... = Message is not truncated
.... ...0 .... .... = Don't do query recursively
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
www.ac-aix-marseille.fr: type A, class inet
Name: www.ac-aix-marseille.fr
Type: Host address
Class: inet
*** Et toujours la même question.
*** C'est normalement la dernière pour cet hôte.Frame 8 (127 on wire, 127 captured)
...
Protocol: UDP (0x11)
Header checksum: 0x83c7 (correct)
Source: dnse.ac-aix-marseille.fr (195.83.252.200)
Destination: ca-ol-marseille-12-195.abo.wanadoo.fr (213.56.59.195)
User Datagram Protocol
Source port: domain (53)
Destination port: 1029 (1029)
Length: 93
Checksum: 0x440a
Domain Name System (response)
Transaction ID: 0xe1ed
Flags: 0x8480 (Standard query response, No error)
1... .... .... .... = Response
.000 0... .... .... = Standard query
.... .1.. .... .... = Server is an authority for domain
.... ..0. .... .... = Message is not truncated
.... ...0 .... .... = Don't do query recursively
.... .... 1... .... = Server can do recursive queries
.... .... .... 0000 = No error
Questions: 1
Answer RRs: 2
Authority RRs: 0
Additional RRs: 0
Queries
www.ac-aix-marseille.fr: type A, class inet
Name: www.ac-aix-marseille.fr
Type: Host address
Class: inet
Answers
www.ac-aix-marseille.fr: type CNAME, class inet, cname copernic.crdp.ac-aix-marseille.fr
Name: www.ac-aix-marseille.fr
Type: Canonical name for an alias
Class: inet
Time to live: 115 days, 17 hours, 46 minutes, 39 seconds
Data length: 16
Primary name: copernic.crdp.ac-aix-marseille.fr
copernic.crdp.ac-aix-marseille.fr: type A, class inet, addr 194.254.139.4
*** Et voici la réponse finale...
*** Avec l'indication qu'il s'agit d'un alias et avec le vrai nom.
Name: copernic.crdp.ac-aix-marseille.fr
Type: Host address
Class: inet
Time to live: 115 days, 17 hours, 46 minutes, 39 seconds
Data length: 4
Addr: 194.254.139.4Nous avons ici l'espoir de démontrer que notre DNS ne va pas partir d'un root-server, mais d'un des serveurs capable de nous documenter sur le TLD "fr." En effet, si le cache fonctionne correctement, ces informations doivent toujours être en la possession de notre DNS.
Frame 21 (72 on wire, 72 captured)
...
Protocol: UDP (0x11)
Header checksum: 0x6750 (correct)
Source: ca-ol-marseille-12-195.abo.wanadoo.fr (213.56.59.195)
Destination: dns.Princeton.EDU (128.112.129.15)
*** C'est gagné!
*** Il attaque sur dns.princeton.edu, serveur fourni par la recherche précédente.
User Datagram Protocol
Source port: 1029 (1029)
Destination port: domain (53)
Length: 38
Checksum: 0x89d0
Domain Name System (query)
Transaction ID: 0x8e83
Flags: 0x0000 (Standard query)
0... .... .... .... = Query
.000 0... .... .... = Standard query
.... ..0. .... .... = Message is not truncated
.... ...0 .... .... = Don't do query recursively
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
www.voila.fr: type A, class inet
Name: www.voila.fr
Type: Host address
Class: inet
*** La question qui nous intéresse maintenant.Frame 22 (189 on wire, 189 captured)
...
Protocol: UDP (0x11)
Header checksum: 0x8b04 (correct)
Source: dns.Princeton.EDU (128.112.129.15)
Destination: ca-ol-marseille-12-195.abo.wanadoo.fr (213.56.59.195)
User Datagram Protocol
Source port: domain (53)
Destination port: 1029 (1029)
Length: 155
Checksum: 0x36a7
Domain Name System (response)
Transaction ID: 0x8e83
Flags: 0x8080 (Standard query response, No error)
1... .... .... .... = Response
.000 0... .... .... = Standard query
.... .0.. .... .... = Server isn't an authority for domain
.... ..0. .... .... = Message is not truncated
.... ...0 .... .... = Don't do query recursively
.... .... 1... .... = Server can do recursive queries
.... .... .... 0000 = No error
Questions: 1
Answer RRs: 2
Authority RRs: 2
Additional RRs: 2
Queries
www.voila.fr: type A, class inet
Name: www.voila.fr
Type: Host address
Class: inet
Answers
www.voila.fr: type A, class inet, addr 195.101.94.81
*** Super!
*** On a déjà la réponse finale.
*** Peut-être parce que dns.princeton.edu est lui-même un serveur récursif.
*** Normalement, on n'aurait dû recevoir que les serveur autorisés pour le domaine voila.fr
Name: www.voila.fr
Type: Host address
Class: inet
Time to live: 1 day, 10 hours, 54 minutes, 28 seconds
Data length: 4
Addr: 195.101.94.81
www.voila.fr: type A, class inet, addr 195.101.94.80
Name: www.voila.fr
*** Tiens, il a même deux adresses (ça se fait).
Type: Host address
Class: inet
Time to live: 1 day, 10 hours, 54 minutes, 28 seconds
Data length: 4
Addr: 195.101.94.80
Authoritative nameservers
*** On reçoit tout de même pour info.
*** Les serveurs de noms pour voila.fr...
voila.fr: type NS, class inet, ns ns.x-echo.com
Name: voila.fr
Type: Authoritative name server
Class: inet
Time to live: 4 days
Data length: 15
Name server: ns.x-echo.com
voila.fr: type NS, class inet, ns ns1.x-echo.com
Name: voila.fr
Type: Authoritative name server
Class: inet
Time to live: 4 days
Data length: 6
Name server: ns1.x-echo.com
Additional records
ns.x-echo.com: type A, class inet, addr 195.101.94.1
Name: ns.x-echo.com
Type: Host address
Class: inet
Time to live: 12 hours, 7 minutes, 1 second
Data length: 4
Addr: 195.101.94.1
ns1.x-echo.com: type A, class inet, addr 195.101.94.10
Name: ns1.x-echo.com
Type: Host address
Class: inet
Time to live: 12 hours, 10 minutes, 10 seconds
Data length: 4
Addr: 195.101.94.10
Cet exemple vous aura j'espère aidé à comprendre comment travaille un serveur de noms récursif:
Pour ceux qui sont très observateurs, vous aurez constaté que toutes les réponses des serveurs de noms contiennent aussi des TTL (Time To Live). C'est la durée de validité de l'information. Cette information est importante, parce qu'elle permet de savoir si une information contenue dans le cache a des chances ou non d'être encore d'actualité. Vous aurez constaté aussi que, suivant les domaines ou les serveurs, ce TTL peut avoir des valeurs différentes.