DNS Traffic: Do Not Skip
3 min readNov 8, 2022
Brief about DNS:
DNS translates Domain names to IP addresses so that web browser can load the required website.
While analysing any network traffic always remember to see DNS query that were visited in the network because in DNS shows all the websites visited.
Your Setup:
- Wireshark (recommended)
- https://mega.nz/file/JqIDQQIR#ybZVdUJLte8BJmFZ3s2mJF3gNPj5CubsrYiA429xfns (Its a part of one of the CTF)
- tshark (apt install tshark)
Start Analysing:
- Add filter dns
Filtering out all the DNS queries:
- After applying the dns filter, click on the first DNS packet in the traffic and see below Packet info.
- See all the queries in DNS info:
- Right Click on the Name in queries and Apply as Column .
- After seeing all these DNS queries, we found some suspicious thing that the subdomain of IP addresses are regularly changing.
- Now to decode subdomains we use Tshark tool, which is command line utility for wireshark
Using Tshark🦈:
- Using the tshark command to find all the subdomains
tshark -r file.pcap -T fields -e "dns.qry.name" | tee domains.txt
- Remove the duplicates and of all the subdomains of IP address: 10.0.2.10
- Remove other DNS queries which are not necessary.
- Getting only the name of subdomain:
cat domain.txt| uniq |awk -F. '{print $1}'
IT SEEMS THAT IT IS SOME SORT OF ENCODING
Time to Decode the Secret:
- Try all the base encoding mechanism I know i.e base64, base32, base16
- May be multiple encoding is present
- Lets try with ROT13
- Let try with again All bases:
