Capturing DNS responses with PCap.Net?

Question

Q1 - Is it possible to capture DNS request/responses with the library?

Q2 - If yes, once I have the packet does anyone have any sample code that shows how I could extract the fields from the DNS response? In particular the IP address that DNS resolved for the given DNS name provided in particular.

Answer 1

Yes, it's possible.

Sample code would be a bit on the long side, though...

In essence, you need to:

1. extract the ethernet header
2. extract the IP header
3. extract the UDP header [assuming the packet isn't fragmented, or using TCP]
4. extract the DNS payload

then handle the rest of the packet according to the very thorough description given in RFC 1035.

In practise that means:

1. ignore requests - all the info you need is in responses (QR == 1)
2. check for RCODE == 0 and ANCOUNT > 0
3. look in the Question section to find the name that was queried
4. look for answers in the Answer (duh!) section

To further complicate matters you have to handle DNS labels (series of <count><data...> fields) and potentially handle compressed labels too!

This sounds nasty, but none of it is actually that hard. I have C++ code that does all this and it's not that long, but I can't release it.