Re: How does Wireshark do name resolution?

[Guy Harris <guy () alum mit edu>]

On Jan 6, 2010, at 12:55 PM, Richard Brooks wrote:

> I think that Sky have more than one email server/mirror. Try doing an
> nslookup on '74.125.127.208', on my PC it came back as
> 'pz-inf208.1e100.net'.'

So there are at least two different A records out there in DNSland that return 74.125.127.208.

Let's see:

$ host -a bskyb-pop3-ssl.l.google.com
Trying "bskyb-pop3-ssl.l.google.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51975
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;bskyb-pop3-ssl.l.google.com.   IN      ANY

;; ANSWER SECTION:
bskyb-pop3-ssl.l.google.com. 211 IN     A       74.125.127.208

;; AUTHORITY SECTION:
google.com.             31920   IN      NS      ns1.google.com.
google.com.             31920   IN      NS      ns3.google.com.
google.com.             31920   IN      NS      ns4.google.com.
google.com.             31920   IN      NS      ns2.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         341295  IN      A       216.239.34.10
ns1.google.com.         36532   IN      A       216.239.32.10
ns4.google.com.         150710  IN      A       216.239.38.10
ns3.google.com.         70248   IN      A       216.239.36.10

Received 197 bytes from XX.XX.XX.XX#53 in 23 ms

$ host -a pz-in-f208.1e100.net
Trying "pz-in-f208.1e100.net"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34359
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13

;; QUESTION SECTION:
;pz-in-f208.1e100.net.          IN      ANY

;; ANSWER SECTION:
pz-in-f208.1e100.net.   86351   IN      A       74.125.127.208

;; AUTHORITY SECTION:
net.                    17825   IN      NS      E.GTLD-SERVERS.net.
net.                    17825   IN      NS      H.GTLD-SERVERS.net.
net.                    17825   IN      NS      D.GTLD-SERVERS.net.
net.                    17825   IN      NS      J.GTLD-SERVERS.net.
net.                    17825   IN      NS      F.GTLD-SERVERS.net.
net.                    17825   IN      NS      G.GTLD-SERVERS.net.
net.                    17825   IN      NS      I.GTLD-SERVERS.net.
net.                    17825   IN      NS      A.GTLD-SERVERS.net.
net.                    17825   IN      NS      C.GTLD-SERVERS.net.
net.                    17825   IN      NS      K.GTLD-SERVERS.net.
net.                    17825   IN      NS      B.GTLD-SERVERS.net.
net.                    17825   IN      NS      M.GTLD-SERVERS.net.
net.                    17825   IN      NS      L.GTLD-SERVERS.net.

;; ADDITIONAL SECTION:
B.GTLD-SERVERS.net.     75602   IN      A       192.33.14.30
B.GTLD-SERVERS.net.     75602   IN      AAAA    2001:503:231d::2:30
F.GTLD-SERVERS.net.     85234   IN      A       192.35.51.30
J.GTLD-SERVERS.net.     78545   IN      A       192.48.79.30
H.GTLD-SERVERS.net.     79639   IN      A       192.54.112.30
L.GTLD-SERVERS.net.     150475  IN      A       192.41.162.30
I.GTLD-SERVERS.net.     155091  IN      A       192.43.172.30
A.GTLD-SERVERS.net.     57911   IN      A       192.5.6.30
A.GTLD-SERVERS.net.     57911   IN      AAAA    2001:503:a83e::2:30
D.GTLD-SERVERS.net.     55140   IN      A       192.31.80.30
K.GTLD-SERVERS.net.     109507  IN      A       192.52.178.30
M.GTLD-SERVERS.net.     41034   IN      A       192.55.83.30
C.GTLD-SERVERS.net.     75746   IN      A       192.26.92.30

Received 507 bytes from XX.XX.XX.XX#53 in 2 ms

Both of those came from an internal server caching the results.  And for the reverse lookup:

$ host -a 74.125.127.208             
Trying "208.127.125.74.in-addr.arpa"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55402
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;208.127.125.74.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
208.127.125.74.in-addr.arpa. 86210 IN   PTR     pz-in-f208.1e100.net.

;; AUTHORITY SECTION:
125.74.in-addr.arpa.    44346   IN      NS      NS4.GOOGLE.COM.
125.74.in-addr.arpa.    44346   IN      NS      NS1.GOOGLE.COM.
125.74.in-addr.arpa.    44346   IN      NS      NS3.GOOGLE.COM.
125.74.in-addr.arpa.    44346   IN      NS      NS2.GOOGLE.COM.

;; ADDITIONAL SECTION:
NS1.GOOGLE.COM.         36446   IN      A       216.239.32.10
NS3.GOOGLE.COM.         70162   IN      A       216.239.36.10
NS4.GOOGLE.COM.         150624  IN      A       216.239.38.10
NS2.GOOGLE.COM.         341209  IN      A       216.239.34.10

Received 225 bytes from XX.XX.XX.XX#53 in 7 ms

Again, from the internal server.

Perhaps if some other server is queried, a different PTR record will come back for 208.127.125.74.in-addr.arpa.  It 
would be interesting to see the DNS traffic issued when you do an nslookup on 74.125.127.208 and when Wireshark 
resolves 74.125.127.208.

The problem is that the difference might just reflect configuration differences in the resolvers, or quirks of the 
current implementations of those resolvers, or something else not guaranteed to be an invariant characteristic of 
whatever resolver Wireshark happens to be using (which is a function of how it was built - it might just be using the 
native OS's resolver, rather than any of the asynchronous resolvers it can be configured to use).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe