Period [.] missing after ENUM/DNS query in wireshark

Question

I am attaching a ENUM/DNS Trace which we have captured over the wire

in the DNS Protocol section,I am sending this following query

No. Time Source Destination Protocol Info 1 0.000000 172.17.219.68 10.230.35.248 DNS Standard query NAPTR 6.1.0.0.1.1.3.3.4.0.1.8.e164enum.net Frame 1: 107 bytes on wire (856 bits), 107 bytes captured (856 bits) Ethernet II, Src: Cisco_4c:36:17 (00:1e:4a:4c:36:17), Dst: 40:a8:f0:26:c7:08 (40:a8:f0:26:c7:08) Internet Protocol, Src: 172.17.219.68 (172.17.219.68), Dst: 10.230.35.248 (10.230.35.248) User Datagram Protocol, Src Port: 14126 (14126), Dst Port: domain (53) Domain Name System (query) [Response In: 2] Transaction ID: 0x3be5 Flags: 0x0100 (Standard query) Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries 6.1.0.0.1.1.3.3.4.0.1.8.e164enum.net: type NAPTR, class IN Name: 6.1.0.0.1.1.3.3.4.0.1.8.e164enum.net Type: NAPTR (Naming authority pointer) Class: IN (0x0001) Additional records

0000 40 a8 f0 26 c7 08 00 1e 4a 4c 36 17 08 00 45 00 @..&….JL6…E. 0010 00 5d cd 1f 40 00 ff 11 f8 3b ac 11 db 44 0a e6 .][email protected];…D.. 0020 23 f8 37 2e 00 35 00 49 70 ee 3b e5 01 00 00 01 #.7..5.Ip.;….. 0030 00 00 00 00 00 01 01 36 01 31 01 30 01 30 01 31 …….6.1.0.0.1 0040 01 31 01 33 01 33 01 34 01 30 01 31 01 38 08 65 .1.3.3.4.0.1.8.e 0050 31 36 34 65 6e 75 6d 03 6e 65 74 00 00 23 00 01 164enum.net..#.. 0060 00 00 29 10 00 00 00 80 00 00 00 ..)……..

Our Application Logs show a . [period] after e164enum.net as e164enum.net. But wireshark is removing the . after net and displaying only “e164enum.net”. Why is wireshark showing Like this?

Accepted Answer

In a DNS request, the name is represented by a series of labels, where each label is preceded with the length of the label. The final label has length 0. The dot is actually not part of the name, it is just a way of representing the separation of the labels (just like the dot in an IP address is to show the separation between the octets).

In representating the FQDN, the dot in the end signifies that the name should be read as an absolute name (ie, no domain suffices should be applied anymore), while a name without a dot could be extended with a search domain. This is done on the system where the DNS lookup is performed, however, in the DNS request towards the server the search domain is already added and the name is considered an absolute name. Therefor the final dot is omitted in the DNS request.

Wireshark dissects the data as is and therefor a final dot is not displayed as it was not transmitted over the wire.

Answer 2

Wireshark is doing this as that's exactly what is transmitted on the wire, see the hex bytes display for confirmation:

0030  00 00 00 00 00 01 01 36 01 31 01 30 01 30 01 31   .......6.1.0.0.1
0040  01 31 01 33 01 33 01 34 01 30 01 31 01 38 08 65   .1.3.3.4.0.1.8.e
0050  31 36 34 65 6e 75 6d 03 6e 65 74 00 00 23 00 01   164enum.net..#..
                                       ^^

Note the byte after the "t" is 0x00, there is no period.

Your application software must be creating the "." suffix itself.

You can also see the hex bytes corresponding to a field in Wireshark by clicking the field in the packet details pane, the hex bytes pane will then highlight the respective bytes.