pythondnsscapy

How to read scapy's DNS response to get the resolved domain's IP address?


Having the following snippet:

#!/usr/bin/env python

from scapy.layers.inet import UDP, IP
from scapy.layers.dns import DNS, DNSQR
from scapy.sendrecv import sr1

dns_resp = sr1(IP(dst="8.8.8.8") / UDP(dport=53) /
               DNS(rd=1, qd=DNSQR(qname="www.stackoverflow.com")))
print dns_resp.summary()
print dns_resp

I get the following result:

Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
IP / UDP / DNS Ans "stackoverflow.com." 
E��/
stackoverflowcom
���eE��eAE��e�E��e�E

I can remove www. from the URL and then I will get the IP but I cannot programmatically extract it from the package (in code).

Begin emission:
.Finished to send 1 packets.
*
Received 2 packets, got 1 answers, remaining 0 packets
IP / UDP / DNS Ans "151.101.1.69" 
stackoverflowcom
                 �eE
                     �eAE
                          �e�E
                               �e�E

I would like to resolve www.stackoverflow.com into it's IP address. How can I do it regardless of the input? (whether it's www.stackoverflow.com or stackoverflow.com)

I tried doing this in scapy's console and I get the following:

>> r=sr1(IP(dst="8.8.8.8")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="www.stackoverflow.com")))
Begin emission:
.Finished to send 1 packets.
.*
Received 3 packets, got 1 answers, remaining 0 packets
>>> r
<IP  version=4L ihl=5L tos=0x0 len=145 id=7835 flags= frag=0L ttl=47 proto=udp chksum=0x9a88 src=8.8.8.8 dst=192.168.1.129 options=[] |<UDP  sport=domain dport=domain len=125 chksum=0x738c |<DNS  id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L ad=0L cd=0L rcode=ok qdcount=1 ancount=5 nscount=0 arcount=0 qd=<DNSQR  qname='www.stackoverflow.com.' qtype=A qclass=IN |> an=<DNSRR  rrname='www.stackoverflow.com.' type=CNAME rclass=IN ttl=2927 rdata='stackoverflow.com.' |<DNSRR  rrname='stackoverflow.com.' type=A rclass=IN ttl=263 rdata='151.101.1.69' |<DNSRR  rrname='stackoverflow.com.' type=A rclass=IN ttl=263 rdata='151.101.65.69' |<DNSRR  rrname='stackoverflow.com.' type=A rclass=IN ttl=263 rdata='151.101.129.69' |<DNSRR  rrname='stackoverflow.com.' type=A rclass=IN ttl=263 rdata='151.101.193.69' |>>>>> ns=None ar=None |>>>

Can I somehow filter this information by dns response type ( A type response is of type 1 in scapy as far as I know)


Solution

  • You can use dns_resp[DNS] to access layer DNS and it has some functions to get details.

    print "--------------------"
    print dns_resp.summary()
    print "--------------------"
    #print 'name:', dns_resp.payload.payload.name
    print 'name:', dns_resp[DNS].name
    #print repr(dns_resp.payload.payload)
    print repr(dns_resp[DNS])
    print "--------------------"
    #print 'layers:', dns_resp.payload.payload.ancount
    print 'layers:', dns_resp[DNS].ancount
    print "--------------------"
    
    for x in range(dns_resp[DNS].ancount):
        print dns_resp[DNSRR][x].rdata
    
    print "--------------------"
    

    Result

    --------------------
    IP / UDP / DNS Ans "stackoverflow.com." 
    --------------------
    name: DNS
    <DNS  id=0 qr=1L opcode=QUERY aa=0L tc=0L rd=1L ra=1L z=0L ad=0L cd=0L rcode=ok qdcount=1 ancount=5 nscount=0 arcount=0 qd=<DNSQR  qname='www.stackoverflow.com.' qtype=A qclass=IN |> an=<DNSRR  rrname='www.stackoverflow.com.' type=CNAME rclass=IN ttl=3379 rdata='stackoverflow.com.' |<DNSRR  rrname='stackoverflow.com.' type=A rclass=IN ttl=79 rdata='151.101.1.69' |<DNSRR  rrname='stackoverflow.com.' type=A rclass=IN ttl=79 rdata='151.101.65.69' |<DNSRR  rrname='stackoverflow.com.' type=A rclass=IN ttl=79 rdata='151.101.129.69' |<DNSRR  rrname='stackoverflow.com.' type=A rclass=IN ttl=79 rdata='151.101.193.69' |>>>>> ns=None ar=None |>
    --------------------
    layers: 5
    --------------------
    stackoverflow.com.
    151.101.1.69
    151.101.65.69
    151.101.129.69
    151.101.193.69
    --------------------
    

    I found information on page which was removed so I put link to Archive.org

    Original: Scapy – Iterating over DNS Responses

    Archive.org: Scapy – Iterating over DNS Responses