First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Give precedence to hosts file over DNS for name resolution

  • retag add tags

Is there a way, maybe feature needed, to give name resolution precedence to the locally created hosts file over DNS discovered A records?

If I've predefined the name in hosts, it's more readable than the equivalent DNS discovered FQDN and I'd like to give my given name in hosts file priority over the DNS discovered FQDN.

You can disable use of DNS but I need to use both with priority given to local hosts file.

atrain1111's avatar
1
atrain1111
asked 2022-05-03 14:46:38 +0000
Jaap's avatar
13.7k
Jaap
updated 2022-05-03 16:43:56 +0000
edit flag offensive 0 remove flag close merge delete

Comments

"hosts file" - do you mean the Wireshark hosts file or the operating system hosts file?

Chuckc's avatar Chuckc (2022-05-03 20:31:39 +0000) edit
more
  • delete

the Wireshark hosts file

atrain1111's avatar atrain1111 (2022-05-04 00:54:55 +0000) edit
more
  • delete

"DNS discovered A records" - does that mean records from captured DNS packet data or queries to external network name resolver?

Preferences/Name-Resolution (WSUG doesn't have all Preference pages - added to Wiki)

Chuckc's avatar Chuckc (2022-05-04 02:02:14 +0000) edit
more
  • delete

Is your hosts file in the Global config folder or in the profile folder? The WSUG and man pages say that one will be read from the Personal config folder but that's incorrect.
You can verify that the host file is read in properly by starting the Wireshark Gui then looking at:
Statistics -> Resolved Addresses and change All entries to Hosts.
If the host file was read properly, the host entries will be in the table.

Chuckc's avatar Chuckc (2022-05-04 03:16:36 +0000) edit
more
  • delete

hosts file in personal config folder works fine. The discovered FQDNs via DNS pkts in the pcap works as well. If IP is defined in hosts file and also in the DNS pkts in pcap the DNS pkt discovery takes precedence over hosts file. I want the personal hosts file to be top priority. I can turn off usage of DNS pkts in pcap for name resolution but I do need that functionality for those IPs that are not in the hosts file.

atrain1111's avatar atrain1111 (2022-05-04 15:19:09 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

This would be a new feature or Enhancement request. They are created on the Wireshark Gitlab Issues page. (If you open an issue please add a link back to this question.)

What's happening:
Last one in wins. This is how the global hosts file is superseded by entries in the personal hosts.
When an entry come in from DNS it updates the hash table.

What you're looking for is sort of like nsswitch.conf setting the order or precedence of checking. I'm not sure if this would need to be another Name Resolution preference or if hosts entries always win.

The address hash table hashipv4_t (wtap.h) does have a flags field that might be used to implement this. If an entry is added in read_hosts_file(), set the flag bit so the entry is not updated by DNS.

packet-dns.c:

    case T_A: /* a host Address (1) */
...
        add_ipv4_name(addr_int, name);
...
    case T_AAAA: /* IPv6 Address (28) */
...
        add_ipv6_name(&addr_in6, name);

addr_resolv.c:

add_ipv4_name(const guint addr, const gchar *name)
...
    tp = (hashipv4_t *)wmem_map_lookup(ipv4_hash_table, GUINT_TO_POINTER(addr));
    if (!tp) {
        tp = new_ipv4(addr);
        wmem_map_insert(ipv4_hash_table, GUINT_TO_POINTER(addr), tp);
    }

    if (g_ascii_strcasecmp(tp->name, name)) {
        (void) g_strlcpy(tp->name, name, MAXNAMELEN);
        new_resolved_objects = TRUE;
    }
Chuckc's avatar
3k
Chuckc
answered 2022-05-04 16:38:41 +0000, updated 2022-05-04 16:40:02 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you Chuck. I went ahead and submitted issue #18075

atrain1111's avatar atrain1111 (2022-05-04 18:06:38 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer