DNS SRV Requests Info

Parent Previous Next


DNS SRV Requests Info





1. DNS SRV Request (client → DNS server)


When a client (e.g. Windows workstation joining a domain) wants to find an LDAP server, it sends a DNS query like:


Queries

   _ldap._tcp.example.com: type SRV, class IN

       dns.qry.type   = SRV (33)

       dns.qry.name   = _ldap._tcp.example.com

       dns.srv.service = _ldap

       dns.srv.proto   = _tcp



Opcode = 0 (Standard query)


Rcode = unset (since it’s a request)


dns.qry.type = SRV (33) → asking for a service record


dns.qry.name = _ldap._tcp.example.com


dns.srv.service = _ldap (the service being requested)


dns.srv.proto = _tcp (protocol for LDAP)


This means:

“Tell me which LDAP servers are available for example.com over TCP.”



2. DNS SRV Response (DNS server → client)


The DNS server replies with the list of LDAP servers:


Answers

   _ldap._tcp.example.com: type SRV, class IN

       Priority: 0

       Weight: 100

       Port: 389

       Target: dc1.example.com

       dns.srv.service = _ldap

       dns.srv.proto   = _tcp

       dns.srv.port    = 389

       dns.resp.name   = dc1.example.com


Additional Records

   dc1.example.com: type A, addr 192.0.2.10

       dns.a = 192.0.2.10



Opcode = 0 (Standard query)


Rcode = 0 (NoError → successful resolution)


dns.srv.port = 389 (standard LDAP port; could be 636 for LDAPS)


dns.resp.name = dc1.example.com (hostname of the LDAP server)


dns.a = 192.0.2.10 (IPv4 address of the target server)



3. Summary of Fields (when dns.srv.service = ldap)

Field        Example Value        Meaning

Opcode        0        Standard DNS query

Rcode        0 (NoError)        Query succeeded

dns.qry.type        SRV (33)        Asking for a service record

dns.qry.name        _ldap._tcp.example.com        Service + protocol + domain

dns.srv.service        _ldap        Service requested (LDAP)

dns.srv.proto        _tcp        Protocol (TCP for LDAP)

dns.srv.port        389        Port of the LDAP service

dns.resp.name        dc1.example.com        Target host providing LDAP

dns.a        192.0.2.10        IP address of that host


So when you see dns.srv.service = ldap:

The client is trying to discover LDAP servers (usually domain controllers in Active Directory) via DNS SRV lookups, and the response tells it which hostnames, ports, and IPs to use.




let’s dive into the Active Directory–specific SRV queries where dns.srv.service = ldap. These are some of the most common SRV lookups you’ll see in Wireshark when a Windows client tries to find a Domain Controller (DC).



Why SRV is critical for AD


Active Directory relies on DNS SRV records to locate domain controllers and related services.


When a client joins/logs into a domain, it doesn’t know the DC’s IP — so it queries DNS for SRV records.


Common AD SRV Queries

1. _ldap._tcp.dc._msdcs.<domain>


Used to find all domain controllers for a given domain.


Example query:


dns.qry.name   = _ldap._tcp.dc._msdcs.example.com

dns.srv.service = _ldap

dns.srv.proto   = _tcp

dns.qry.type   = SRV



The response contains one or more DC hostnames (targets).


2. _ldap._tcp.<site>._sites.dc._msdcs.<domain>


Used to find DCs in a specific AD site (site-aware logon).


Example query:


dns.qry.name   = _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.example.com



Ensures clients prefer local DCs for authentication.


3. _ldap._tcp.gc._msdcs.<forest-root>


Used to find Global Catalog (GC) servers.


Example query:


dns.qry.name   = _ldap._tcp.gc._msdcs.example.com



Global Catalog servers are needed for cross-domain searches and logons.


Example SRV Response for AD

Answers

   _ldap._tcp.dc._msdcs.example.com: type SRV, class IN

       Priority: 0

       Weight: 100

       Port: 389

       Target: dc1.example.com

       dns.srv.service = _ldap

       dns.srv.proto   = _tcp

       dns.srv.port    = 389

       dns.resp.name   = dc1.example.com


   _ldap._tcp.dc._msdcs.example.com: type SRV, class IN

       Priority: 0

       Weight: 100

       Port: 389

       Target: dc2.example.com

       dns.srv.service = _ldap

       dns.srv.proto   = _tcp

       dns.srv.port    = 389

       dns.resp.name   = dc2.example.com


Additional Records

   dc1.example.com: type A, addr 192.0.2.10

       dns.a = 192.0.2.10

   dc2.example.com: type A, addr 192.0.2.11

       dns.a = 192.0.2.11


Field Mapping (LDAP in AD SRV)

Field        Example Value        Meaning

Opcode        0        Standard query

Rcode        0 (NoError)        Query succeeded

dns.qry.type        SRV (33)        Query type

dns.qry.name        _ldap._tcp.dc._msdcs.example.com        “Find LDAP DCs”

dns.srv.service        _ldap        LDAP service

dns.srv.proto        _tcp        TCP protocol

dns.srv.port        389        LDAP service port

dns.resp.name        dc1.example.com, dc2.example.com        DC hostnames

dns.a        192.0.2.10, 192.0.2.11        DC IP addresses



In short:

When dns.srv.service = ldap in an AD environment, it usually means the client is looking for domain controllers or global catalog servers. The SRV records tell the client which DCs exist, which port to use (389 or 636), and their hostnames/IPs.


Do you want me to also explain the difference between these SRV queries:


_ldap._tcp.dc._msdcs.domain.com


_kerberos._tcp.domain.com


_gc._tcp.domain.com

www.traceinside.com