DNS analysis
To filter out the specific dns query packets, you can type dns contains "domain_name" in the display filter.
Note that there must be the double quotation around the name, the domain_name should not contain the top domain name, e.g. if you want to search query about cnn.com, you should type dns contains "cnn"
dns.flags.response==0 , respond area 0 means all the queries sent from client to DNS server.
In the Domain Name System > Flags > Response: you will see Message is a query
dns.flags.response==1 means the answer to the queries.
In the Domain Name System > Flags > Response: you will see Message is a response.
crl: certificate revocation list, some browser will automatically check mscrl.microsoft.com
Reply code: No such name
Filter the dns record by transaction ID:
dns.id==xxxx
To troubleshoot unsuccessful DNS query:
The last line in the Domain Name System > Flags is the reply code, the 0 of which means no error.
| RCODE | Name | Description | Reference |
|---|---|---|---|
| 0 | NoError | No Error | [RFC1035] |
| 1 | FormErr | Format Error | [RFC1035] |
| 2 | ServFail | Server Failure | [RFC1035] |
| 3 | NXDomain | Non-Existent Domain | [RFC1035] |
| 4 | NotImp | Not Implemented | [RFC1035] |
| 5 | Refused | Query Refused | [RFC1035] |
| 6 | YXDomain | Name Exists when it should not | [RFC2136][RFC6672] |
| 7 | YXRRSet | RR Set Exists when it should not | [RFC2136] |
| 8 | NXRRSet | RR Set that should exist does not | [RFC2136] |
| 9 | NotAuth | Server Not Authoritative for zone | [RFC2136] |
| 9 | NotAuth | Not Authorized | [RFC2845] |
| 10 | NotZone | Name not contained in zone | [RFC2136] |
| 11-15 | Unassigned | ||
| 16 | BADVERS | Bad OPT Version | [RFC6891] |
| 16 | BADSIG | TSIG Signature Failure | [RFC2845] |
| 17 | BADKEY | Key not recognized | [RFC2845] |
| 18 | BADTIME | Signature out of time window | [RFC2845] |
| 19 | BADMODE | Bad TKEY Mode | [RFC2930] |
| 20 | BADNAME | Duplicate key name | [RFC2930] |
| 21 | BADALG | Algorithm not supported | [RFC2930] |
| 22 | BADTRUNC | Bad Truncation | [RFC4635] |
| 23 | BADCOOKIE | Bad/missing Server Cookie | [RFC7873] |
| 24-3840 | Unassigned | ||
| 3841-4095 | Reserved for Private Use | [RFC6895] | |
| 4096-65534 | Unassigned | ||
| 65535 | Reserved, can be allocated by Standards Action | [RFC6895] |
You can use the expression:
(!(dns.flags.rcode==0))&&(dns.flags.response==1)
- !(dns.flags.rcode==0) means the reply code does not match “no error”
- dns.flags.response==1 means match all the query answer packet.