在 Python 中读取 DNS 数据包 [英] reading DNS packets in Python
问题描述
我在玩 Python 套接字,并决定看看我是否可以实现一个非常基本的名称服务器(即一个域名到 IP 地址的查找表).所以到目前为止我已经设置了我的服务器来转储接收到的数据.
I'm playing around with Python sockets, and decided to see if I could implement a very basic name server (i.e. a lookup table for a domain name to an IP address). So I've set up my server so far to just dump the received data.
#!/usr/bin/python
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
host = ''
port = 53
size = 512
s.bind((host, port))
while True:
data, addr = s.recvfrom(size)
print repr(data)
当我运行上述代码并将我的 DNS 指向 127.0.0.1 时,我得到类似于以下内容的信息:
When I run the above code and point my DNS to 127.0.0.1 I get something akin to the following:
'Yx04x01x00x00x01x00x00x00x00x00x00x03wwwx06googlex03comx00x00x01x00x01'
'Jxaax01x00x00x01x00x00x00x00x00x00x03wwwx06googlex03comx00x00x1cx00x01'
'Yx04x01x00x00x01x00x00x00x00x00x00x03wwwx06googlex03comx00x00x01x00x01'
我假设这与 DNS 问题数据包结构有关,但我不确定.
I'm assuming that it is something to do with the DNS question packet structure, but I'm not to sure.
A) 以上是转义字符吗?特定的文本编码?还是只是字节?
A) Are the above escape characters? A specific text encoding? Or simply just bytes?
B) 我如何解释数据并使用它?
B) How can I interpret the data and work with it?
更改套接字以获取原始数据而不是数据报会导致以下结果:
Changing the socket to take raw instead of datagrams results in the following:
'Ex00$x00xe4x96x00x00@x01x00x00x7fx00x00x01x7fx00x00x01x03x03Xxb6x00x00x00x00Ex00Vx00mx82x00x00xffx11x00x00x7fx00x00x01x7fx00x00x01xf3xe1x005x00Bx00x00'
推荐答案
你可以这样开始:
#!/usr/bin/env python
import pprint
import socket
import struct
def decode_labels(message, offset):
labels = []
while True:
length, = struct.unpack_from("!B", message, offset)
if (length & 0xC0) == 0xC0:
pointer, = struct.unpack_from("!H", message, offset)
offset += 2
return labels + decode_labels(message, pointer & 0x3FFF), offset
if (length & 0xC0) != 0x00:
raise StandardError("unknown label encoding")
offset += 1
if length == 0:
return labels, offset
labels.append(*struct.unpack_from("!%ds" % length, message, offset))
offset += length
DNS_QUERY_SECTION_FORMAT = struct.Struct("!2H")
def decode_question_section(message, offset, qdcount):
questions = []
for _ in range(qdcount):
qname, offset = decode_labels(message, offset)
qtype, qclass = DNS_QUERY_SECTION_FORMAT.unpack_from(message, offset)
offset += DNS_QUERY_SECTION_FORMAT.size
question = {"domain_name": qname,
"query_type": qtype,
"query_class": qclass}
questions.append(question)
return questions, offset
DNS_QUERY_MESSAGE_HEADER = struct.Struct("!6H")
def decode_dns_message(message):
id, misc, qdcount, ancount, nscount, arcount = DNS_QUERY_MESSAGE_HEADER.unpack_from(message)
qr = (misc & 0x8000) != 0
opcode = (misc & 0x7800) >> 11
aa = (misc & 0x0400) != 0
tc = (misc & 0x200) != 0
rd = (misc & 0x100) != 0
ra = (misc & 0x80) != 0
z = (misc & 0x70) >> 4
rcode = misc & 0xF
offset = DNS_QUERY_MESSAGE_HEADER.size
questions, offset = decode_question_section(message, offset, qdcount)
result = {"id": id,
"is_response": qr,
"opcode": opcode,
"is_authoritative": aa,
"is_truncated": tc,
"recursion_desired": rd,
"recursion_available": ra,
"reserved": z,
"response_code": rcode,
"question_count": qdcount,
"answer_count": ancount,
"authority_count": nscount,
"additional_count": arcount,
"questions": questions}
return result
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
host = ''
port = 53
size = 512
s.bind((host, port))
while True:
data, addr = s.recvfrom(size)
pprint.pprint(decode_dns_message(data))
然后填写剩余记录的解码函数.
And then fill in the decoding functions for the remaining records.
这篇关于在 Python 中读取 DNS 数据包的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!