Wireshark-dev: Re: [Wireshark-dev] How does Wireshark do name resolution?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Richard Brooks <richardbuk@xxxxxxx>
Date: Thu, 7 Jan 2010 19:31:38 -0000
Wireshark must have got the 'bskyb-pop3-ssl.l.google.com' result somehow. I
can do an nslookup just after Wireshark comes back with
'bskyb-pop3-ssl.l.google.com' but I still get the same old vanilla flavoured
'pz-in-f208.1e100.net'.

Regards
Richard
<RichardBUK@xxxxxxx>

 

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx
[mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Andrew Hood
Sent: 07 January 2010 11:39
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] How does Wireshark do name resolution?

Richard Brooks wrote:
> Hello Guy
> 
> Your just not getting it. 
> 
> The question is given the ip address of '74.125.127.208', how does one
query
> a DNS server (in this case DNS ip 8.8.8.8 = public Google DNS) to get the
> reply 'bskyb-pop3-ssl.l.google.co' (which is the reply Wireshark gets),
and
> not the reply 'pz-in-f208.1e100.net', which is what nslookup gets back.

If your system did a DNS lookup of bskyb-pop3-ssl.l.google.com while
Wireshark was running it could have cached the result and used that
resolution.

There is nothing invalid about the PTR record and the A record not
matching. Not good style, but not illegal. The PTR record is in a block
directly allocated to Google. They can map it to whatever they like.
1e100.net have an A record that matches the PTR record. Google have
chosen not to provide PTR records for every A record that might point
into their space. This can be bad news for a mail server.

: dig bskyb-pop3-ssl.l.google.com

; <<>> DiG 9.3.5-P1 <<>> bskyb-pop3-ssl.l.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20404
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;bskyb-pop3-ssl.l.google.com.   IN      A

;; ANSWER SECTION:
bskyb-pop3-ssl.l.google.com. 300 IN     A       74.125.155.208

;; AUTHORITY SECTION:
google.com.             53445   IN      NS      ns1.google.com.
google.com.             53445   IN      NS      ns2.google.com.
google.com.             53445   IN      NS      ns3.google.com.
google.com.             53445   IN      NS      ns4.google.com.

;; Query time: 209 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan  7 22:23:39 2010
;; MSG SIZE  rcvd: 133


: dig -x 74.125.155.208

; <<>> DiG 9.3.5-P1 <<>> -x 74.125.155.208
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32369
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;208.155.125.74.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
208.155.125.74.in-addr.arpa. 86400 IN   PTR     px-in-f208.1e100.net.

;; AUTHORITY SECTION:
125.74.in-addr.arpa.    86190   IN      NS      NS2.GOOGLE.COM.
125.74.in-addr.arpa.    86190   IN      NS      NS3.GOOGLE.COM.
125.74.in-addr.arpa.    86190   IN      NS      NS4.GOOGLE.COM.
125.74.in-addr.arpa.    86190   IN      NS      NS1.GOOGLE.COM.

;; Query time: 203 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan  7 22:26:25 2010
;; MSG SIZE  rcvd: 161


: whois 74.125.155.208
OrgName:    Google Inc.
OrgID:      GOGL
Address:    1600 Amphitheatre Parkway
City:       Mountain View
StateProv:  CA
PostalCode: 94043
Country:    US

NetRange:   74.125.0.0 - 74.125.255.255
CIDR:       74.125.0.0/16
NetName:    GOOGLE
NetHandle:  NET-74-125-0-0-1
Parent:     NET-74-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
NameServer: NS3.GOOGLE.COM
NameServer: NS4.GOOGLE.COM
Comment:
RegDate:    2007-03-13
Updated:    2007-05-22

OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc.
OrgTechPhone:  +1-650-318-0200
OrgTechEmail:  arin-contact@xxxxxxxxxx

# ARIN WHOIS database, last updated 2010-01-06 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at https://www.arin.net/whois_tou.html


: dig px-in-f208.1e100.net.

; <<>> DiG 9.3.5-P1 <<>> px-in-f208.1e100.net.
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36422
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;px-in-f208.1e100.net.          IN      A

;; ANSWER SECTION:
px-in-f208.1e100.net.   86400   IN      A       74.125.155.208

;; AUTHORITY SECTION:
1e100.net.              172800  IN      NS      ns4.google.com.
1e100.net.              172800  IN      NS      ns1.google.com.
1e100.net.              172800  IN      NS      ns2.google.com.
1e100.net.              172800  IN      NS      ns3.google.com.

;; Query time: 220 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan  7 22:29:39 2010
;; MSG SIZE  rcvd: 136


-- 
There's no point in being grown up if you can't be childish sometimes.
                -- Dr. Who
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe