[dnsdist] How to dissect proxyv2-procotol with DNS and UDP?

Tom lists at verreckte-cheib.ch
Tue Feb 20 06:58:30 UTC 2024 

Hi list

Looking at a captured PCAP file, where the proxy procotol with DNS is used:
- When using TCP with DNS and proxy protocol, then tshark/wireshark is 
able to dissect the proxy-protocol:
$ tshark -n -r /tmp/proxy_tcp.cap
     1   0.000000 0.000000000 192.168.236.1 43317 10.100.102.21 5353 TCP 
74 0 64660  0 1 0 1220 43317 → 5353 [SYN] Seq=0 Win=64660 Len=0 MSS=1220 
SACK_PERM TSval=3048985939 TSecr=0 WS=128
     2   0.000062 0.000062000 10.100.102.21 5353 192.168.236.1 43317 TCP 
66 0 24400  0 1 1 1220 5353 → 43317 [SYN, ACK] Seq=0 Ack=1 Win=24400 
Len=0 MSS=1220 SACK_PERM WS=128
     3   0.018303 0.018241000 192.168.236.1 43317 10.100.102.21 5353 TCP 
60 0 64768  1 1 1  43317 → 5353 [ACK] Seq=1 Ack=1 Win=64768 Len=0
     4   0.018364 0.000061000 192.168.236.1 43317 10.100.102.21 5353 
PROXYv2 82 28 64768 28 1 29 1  43317 → 5353 [PSH, ACK] Seq=1 Ack=1 
Win=64768 Len=28
     5   0.018375 0.000011000 10.100.102.21 5353 192.168.236.1 43317 TCP 
54 0 24448  1 1 29  5353 → 43317 [ACK] Seq=1 Ack=29 Win=24448 Len=0
     6   0.018384 0.000009000 192.168.236.1 43317 10.100.102.21 5353 DNS 
107 53 64768 53 29 82 1  Standard query 0x42db A google.com OPT
     7   0.018387 0.000003000 10.100.102.21 5353 192.168.236.1 43317 TCP 
54 0 24448  1 1 82  5353 → 43317 [ACK] Seq=1 Ack=82 Win=24448 Len=0
     8   0.018889 0.000502000 10.100.102.21 5353 192.168.236.1 43317 DNS 
139 85 24448 85 1 86 82  Standard query response 0x42db A google.com A 
172.217.168.46 OPT
     9   0.042093 0.023204000 192.168.236.1 43317 10.100.102.21 5353 TCP 
60 0 64768  82 82 86  43317 → 5353 [ACK] Seq=82 Ack=86 Win=64768 Len=0
    10   0.042120 0.000027000 192.168.236.1 43317 10.100.102.21 5353 TCP 
60 0 64768  82 83 86  43317 → 5353 [FIN, ACK] Seq=82 Ack=86 Win=64768 Len=0
    11   0.042237 0.000117000 10.100.102.21 5353 192.168.236.1 43317 TCP 
54 0 24448  86 87 83  5353 → 43317 [FIN, ACK] Seq=86 Ack=83 Win=24448 Len=0
    12   0.060066 0.017829000 192.168.236.1 43317 10.100.102.21 5353 TCP 
60 0 64768  83 83 87  43317 → 5353 [ACK] Seq=83 Ack=87 Win=64768 Len=0



- When using UDP with DNS and proxy protocol, then neither tshark nor 
wireshark are able to decode the proxy protocol:
$ tshark -n -r /tmp/proxy_udp.cap -d udp.port==5353,dns
     1   0.000000  192.168.236.1 38039 10.100.102.21 5353 DNS 121 
Inverse query 0x0d0a Unknown (867) <Unknown extended label> A <Root> OPT 
<Root> Unused <Root>[Malformed Packet]
     2   0.000316  10.100.102.21 5353 192.168.236.1 38039 DNS 125 
Standard query response 0x7188 A google.com A 172.217.168.46 OPT


Any hints, how I can dissect the proxy protocol with DNS and UDP?

Thanks in advance,
Tom

More information about the dnsdist mailing list