Wireshark find DNS response "Refused"

domain-name-system reverse-dns wireshark

Solution 1:

Based on https://www.wireshark.org/docs/dfref/d/dns.html you need to use dns.flags.rcode defined as:

dns.flags.rcode Reply code Unsigned integer, 2 bytes 1.0.0 to 3.4.9

"Reply code" is defined in §4.1.1. of RFC 1035 as "response code" with "Refused" being value 5:

5 Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data.

As Wireshark defines it as 2 bytes, maybe it is the whole structure depicted in the RFC:

                                    1  1  1  1  1  1
      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |                      ID                       |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

So to compare RCODE to value 5 you may have to mask other bits.

Related

What does sfdisk do, and how does it compare to fdisk or parted?
How to copy only new files AND only those that are modified after a certain date?
Can I pair multiple hosts to a single Bluetooth headphones device?
No supported authentication methods available in FileZilla
How can I join two simple home networks together using an ethernet cable?
How can I check if a domain uses DNSSEC?
Using Paint or Gimp WHERE is the UNSELECT?
Can I stop windows 7 from fading windows on alt-tab?
Is there an app I can use to edit an existing animated GIF? [duplicate]
How do I browse my file system on a mac?
Does Firefox support wildcards in NTLM / Negotiate URI's for autologin?
how can I tell vimdiff to ignore whitespace?