Home / Individual Game / Network Traffic Analysis / NTA CH1
⬅ Back Next ➡

Network Traffic Analysis Challenge 1 - Parsing DNS

Prompt

We found this dump file that contains a DNS query and response. Parse the packets to answer the questions.

Answers

Q1 (10 pts) - What DNS object is being queried (answer in lowercase)?
www.wikipedia.com

Q2 (10 pts) - How many DNS records came back from the DNS server in the reply packet?
2

Q3 (10 pts) - In this DNS reply, what is the canonical name of this DNS object?
ncredir-lb.wikimedia.org

Q4 (10 pts) - What is the local DNS resolver’s IP address?
10.0.0.1

Q5 (10 pts) - To allow this DNS query to be placed, what protocol would need to be allowed outbound by a firewall?
UDP

Q6 (10 pts) - To allow this DNS query to be placed, what destination port (number from 0-65535) would need to be allowed outbound by a firewall?
53

Q7 (10 pts) - What company owns the block of Ethernet addresses used by the local DNS resolver?
TIBRO

Q8 (20 pts) - What’s the product (in decimal) of multiplying the IP IDs of the two packets together?
985420248

Q9 (10 pts) - What is the IP TTL (in decimal) of the DNS response packet?
64

Steps I Took

I started by downloading the file. I couldn’t open it in Wireshark, so I changed the file to a PCAP. cp dnsqr.dump dnsqr.pcap That did not work. I checked the bytes with xxd and also searched for PCAP magic bytes.

Screenshot

Screenshot

It looked like the PCAP bytes were there, but they seemed to be reversed. I used ChatGPT to validate my interpretation of the file format, and it suggested a script that would correct the byte order automatically.

Screenshot

That approach felt overly complicated for the challenge, so I spent more time trying to solve it manually first.

I went to CyberChef, removed the first column, and swapped the endianness.

Screenshot

That gave me the same result.

After that, I started working through the actual challenge. I opened the PCAP in Wireshark.

Q1 — Checked the DNS query and response details.

Screenshot

Q2 — Went to the reply packet and checked the answers. I saw the CNAME record and the A = 2 value there.

Q3 — I checked the second packet and found the source IP.

Screenshot

Q4 — I checked the second packet’s IP and got 10.0.0.1.

Q5 — I checked the destination port for the first packet and got 53/UDP.

Q6 — This question asked for the UDP port number, which was 53.

Q7 — I checked the source MAC of the DNS resolver, and it included the hostname.

Screenshot

Q8 — I checked the Identification field of each packet. P1 = 50753 P2 = 19416 Product = 985420248

Q9 — I checked the response packet TTL field.