This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Sections in a PDML file for a DNS response

0

Hello,

I'm using the 'dns.resp.name' field(s) in the PDML for a DNS query response packet to find the canonical and alias domain names for the domain requested (I'm using a response because I want the aliases and canonical domain as well as the one in the DNS request). I noticed that, if an SOA record is returned, dns.resp.name also captures the root domain of the DNS zone, which is something that I don't want my program to capture when parsing the files.

I noticed that there are four DNS sections: Questions, Answer RRs, Authority RRs and Additional RRs. SOA records fall into the section of Authority RRs, so I'm hoping that the only record types returned in the Answer RRs section are A and CNAME records - if so, I can limit my program to take domains from this section. Is this correct, or are there others returned in this section as well that I need to be aware of?

Thanks :)

asked 19 Nov '16, 14:39

Lobster's gravatar image

Lobster
11448
accept rate: 0%

Have you thought about PTR records?

(19 Nov '16, 16:14) Jaap ♦