Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How does Wireshark do name resolution?

From: Martin Visser <martinvisser99 () gmail com>
Date: Fri, 8 Jan 2010 00:26:08 +1100
Richard,

I think you are not getting it.

In short, you happen to have a got a *lucky* result from the public reverse
DNS that is meaningful to you. There is no guarantee that this is going to
be the case in any other situations. In fact, for a huge amount of real
server IP addresses, you will find that there is simply no reverse DNS
entry.

In wireshark if you want to *prettify* the name results for situations where
either you don't like the name presented (and want to override), or provide
one where there isn't, all you need to do is provide a private "hosts" files
as per http://wiki.wireshark.org/Preferences/NameResolution.

Your application can do something similar if you wish.

Regards, Martin

MartinVisser99 () gmail com


On Thu, Jan 7, 2010 at 10:39 PM, Andrew Hood <ajhood () fl net au> wrote:


Richard Brooks wrote:

Hello Guy

Your just not getting it.

The question is given the ip address of '74.125.127.208', how does one

query

a DNS server (in this case DNS ip 8.8.8.8 = public Google DNS) to get the
reply 'bskyb-pop3-ssl.l.google.co' (which is the reply Wireshark gets),

and

not the reply 'pz-in-f208.1e100.net', which is what nslookup gets back.


If your system did a DNS lookup of bskyb-pop3-ssl.l.google.com while
Wireshark was running it could have cached the result and used that
resolution.

There is nothing invalid about the PTR record and the A record not
matching. Not good style, but not illegal. The PTR record is in a block
directly allocated to Google. They can map it to whatever they like.
1e100.net have an A record that matches the PTR record. Google have
chosen not to provide PTR records for every A record that might point
into their space. This can be bad news for a mail server.

: dig bskyb-pop3-ssl.l.google.com

; <<>> DiG 9.3.5-P1 <<>> bskyb-pop3-ssl.l.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20404
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;bskyb-pop3-ssl.l.google.com.   IN      A

;; ANSWER SECTION:
bskyb-pop3-ssl.l.google.com. 300 IN     A       74.125.155.208

;; AUTHORITY SECTION:
google.com.             53445   IN      NS      ns1.google.com.
google.com.             53445   IN      NS      ns2.google.com.
google.com.             53445   IN      NS      ns3.google.com.
google.com.             53445   IN      NS      ns4.google.com.

;; Query time: 209 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan  7 22:23:39 2010
;; MSG SIZE  rcvd: 133


: dig -x 74.125.155.208

; <<>> DiG 9.3.5-P1 <<>> -x 74.125.155.208
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32369
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;208.155.125.74.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
208.155.125.74.in-addr.arpa. 86400 IN   PTR     px-in-f208.1e100.net.

;; AUTHORITY SECTION:
125.74.in-addr.arpa.    86190   IN      NS      NS2.GOOGLE.COM.
125.74.in-addr.arpa.    86190   IN      NS      NS3.GOOGLE.COM.
125.74.in-addr.arpa.    86190   IN      NS      NS4.GOOGLE.COM.
125.74.in-addr.arpa.    86190   IN      NS      NS1.GOOGLE.COM.

;; Query time: 203 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan  7 22:26:25 2010
;; MSG SIZE  rcvd: 161


: whois 74.125.155.208
OrgName:    Google Inc.
OrgID:      GOGL
Address:    1600 Amphitheatre Parkway
City:       Mountain View
StateProv:  CA
PostalCode: 94043
Country:    US

NetRange:   74.125.0.0 - 74.125.255.255
CIDR:       74.125.0.0/16
NetName:    GOOGLE
NetHandle:  NET-74-125-0-0-1
Parent:     NET-74-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
NameServer: NS3.GOOGLE.COM
NameServer: NS4.GOOGLE.COM
Comment:
RegDate:    2007-03-13
Updated:    2007-05-22

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc.
OrgTechPhone:  +1-650-318-0200
OrgTechEmail:  arin-contact () google com

# ARIN WHOIS database, last updated 2010-01-06 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html


: dig px-in-f208.1e100.net.

; <<>> DiG 9.3.5-P1 <<>> px-in-f208.1e100.net.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36422
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;px-in-f208.1e100.net.          IN      A

;; ANSWER SECTION:
px-in-f208.1e100.net.   86400   IN      A       74.125.155.208

;; AUTHORITY SECTION:
1e100.net.              172800  IN      NS      ns4.google.com.
1e100.net.              172800  IN      NS      ns1.google.com.
1e100.net.              172800  IN      NS      ns2.google.com.
1e100.net.              172800  IN      NS      ns3.google.com.

;; Query time: 220 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan  7 22:29:39 2010
;; MSG SIZE  rcvd: 136


--
There's no point in being grown up if you can't be childish sometimes.
               -- Dr. Who
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: