Now we move into the meat of the matter. All the previous posts were really preparing for this stage. It is obvious that, unless we understand the IPv6 header and the components within it, it would be extremely difficult for us to analyze any type of communication running on top of IPv6.
One of the things we will learn as we move through these next few posts is, the knowledge we have of analyzing IPv4 application layer, is easily transferable to IPv6 application layer protocols. Basically not much has change if anything in most cases.
So without further ado, let's look at the DNS protocol.
The following represents the configuration of our local DNS resolver.
root@securitynik:~/securitynik# cat /etc/resolv.conf
Now let's run tshark against our packet capture.
root@securitynik:~/securitynik#tshark -n -r ipv6-dns-success.pcap
1 0.000000 fd33:e581:65d4:0:a000:27ff:fe28:1d5 -> fd33:e581:65d4:0:a000:27ff:fe21:1a75 DNS 95 Standard query 0x537b AAAA securitynik.lab
2 0.000613 fd33:e581:65d4:0:a000:27ff:fe21:1a75 -> fd33:e581:65d4:0:a000:27ff:fe28:1d5 DNS 123 Standard query response 0x537b AAAA fd33:e581:65d4:0:a000:27ff:fe21:1a75
So above we see we have two packets. The first represents the DNS query over IPv6 and the second represents the DNS response.
Digging deeper - Ignoring time information!
fd33:e581:65d4:0:a000:27ff:fe28:1d5 - represents the source IP or the device where the traffic originated.
fd33:e581:65d4:0:a000:27ff:fe21:1a75 - represents the destination or the device to which the traffic is being sent
DNS - Similary to IPv4 this represents the DNS protocol and would be seen in the "Next Header" portion of the IPv6 header
95 - total size of the packet
By default tshark gives us the entire packet size which in this case we see 95 bytes. However, what we should be more concerned about here is the "Payload Length". To find the "Payload Length" we subtract the length of the Ethernet header (14 bytes) and the length of the IPv6 Header (40) bytes from the total 95 bytes.
95 - (14 + 40) = 41
So it would be clear to see that our Payload length is 41 bytes
Standard query - this is a DNS Query
0x537b - Query ID
AAAA - Record type. In IPv4. This would have more than likely been an 'A' record
securitynik.lab - this is the domain which was requested
This represents the response to packet 1
fd33:e581:65d4:0:a000:27ff:fe21:1a75 - In packet 1 this was the destination to which we sent the DNS request. In packet 2, we now have the DNS server responding
fd33:e581:65d4:0:a000:27ff:fe28:1d5 - The response is now coming back to our client IP.
DNS - Next Header which represents DNS
123 - Total size of the packet
Once again, we are interested in the Payload Length. To find this value we use the same formula as we did in packet 1. Subtract the Ethernet header (14 bytes) and the IPv6 header (40) bytes from 123.
123 - (14 + 40) = 69 bytes
Standard query response - Response to our original request
0x537b - How do we know this response is for our original packet? The Query ID in both packets matches
AAAA fd33:e581:65d4:0:a000:27ff:fe21:1a75 - basically stating that our requested domain - securitynik.lab is at the address
As can be seen, there is not that much difference between the way DNS operates in IPv4 than it does it IPv6