Home / server / Questions / 1083193
Accepted
tink
Asked: 2021-11-11 14:01:09 +0800 CST

Wireshark find DNS response "Refused"

  • 772

I'm looking for a way to filter a packet capture in wireshark for instances where our server responds with "Refused" to a recursive DNS query.

dns.resp.type== doesn't seem to offer anything that I see as a match to my request, do I need to look somewhere other than under dns.resp altogether?

domain-name-system reverse-dns wireshark

1 Answers

  1. Best Answer

    Based on https://www.wireshark.org/docs/dfref/d/dns.html you need to use dns.flags.rcode defined as:

    dns.flags.rcode Reply code Unsigned integer, 2 bytes 1.0.0 to 3.4.9

    "Reply code" is defined in §4.1.1. of RFC 1035 as "response code" with "Refused" being value 5:

    5 Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data.

    As Wireshark defines it as 2 bytes, maybe it is the whole structure depicted in the RFC:

                                        1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      ID                       |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

    So to compare RCODE to value 5 you may have to mask other bits.

    • 2