Alright guys, I have multiple clarification questions on DNS connections and TCP Streams...
Thanks guys, Im excited to finally understand some of these concepts.
asked 31 Mar '14, 17:59
edited 31 Mar '14, 18:01
No. A DNS query might result from an attempt to look up a host to which to send UDP packets, for example. DNS queries can be used for other purposes, such as translating an IP address to a host name. And looking up an IP address for a host might require more than one DNS query, e.g. "example.com" might require that a DNS server for ".com" be looked up, and then that "example.com" might be looked up on that server.
No. Somebody might try to connect to a host with a known IP address, or might be getting the IP address for the host from a file, or might be using some other protocol, such as NIS, to look up the IP address for the host. Or the host might already have a cached copy of a previous lookup of a host name.
Neither is true. See above.
Given that not all DNS query/response pairs correspond to a TCP stream (and not all TCP streams have a DNS query/response associated with them), no. At best, you can try to find a DNS query/response pair that returned an IP address used in a later TCP stream.
What if it takes 10 seconds (on a slow machine) between the time when the button is pressed and when a DNS query is sent out, if necessary, to find the IP address of the host to which to upload the post? In that case, you can't use any packet sniffer find out the time between the button is pressed and when the post finishes being uploaded, because the first 10 seconds don't necessarily correspond to network traffic - they might be due to the code to handle the button push being paged out and having to be paged in from disk, or due to a lot of CPU time being spent to get to the host name lookup, or something such as that.
answered 31 Mar '14, 19:32
Guy Harris ♦♦