Understanding DNS and WebSocket: From Dig Commands to Real‑Time Connections

1. DNS

1.1 Linux dig command

Running dig www.baidu.com displays the query name, class ( IN for Internet) and type ( A for IPv4). The trailing dot in the fully‑qualified name represents the root zone and is usually omitted. dig www.baidu.com The domain hierarchy is root → top‑level domain (e.g., .com) → second‑level domain (e.g., baidu) → third‑level host (e.g., www). DNS queries follow this tiered structure.

Use dig +trace www.baidu.com to reproduce the complete hierarchical lookup from root servers to the authoritative server.

1.2 Analyzing DNS packets with Wireshark

Because DNS uses UDP, set the capture filter to udp. In the packet list, arrows pointing right indicate requests, arrows left indicate responses. Example captures show an internal DNS server at 172.22.3.102; public resolvers such as Google DNS can be examined similarly.

1.3 Drawbacks of traditional DNS

Load‑balancing is possible only if the domain owner operates its own DNS infrastructure.

Recursive resolution can be slow on weak networks; UDP’s unreliability may cause outright failures.

Cache control is out of the client’s hands—ISPs can return stale or malicious IPs, leading to hijacked traffic.

Operator‑level NAT, cache poisoning, and cross‑operator routing can further degrade reliability.

1.4 HTTPDNS

HTTPDNS mitigates the above issues by having the client send an HTTP request containing network and location metadata; the server returns the optimal IP, which the client maps to the hostname.

Approach 1 – OkHttp interceptor : replace the hostname with the resolved IP and add a Host header. Drawbacks include HTTPS certificate validation and cookie handling.

Approach 2 – Custom DNS implementation

public class HttpDNS implements DNS {
    private static final DNS SYSTEM = DNS.SYSTEM;
    @Override
    public List<InetAddress> lookup(String hostname) throws UnknownHostException {
        String ip = DNSHelper.getIpByHost(hostname);
        if (ip != null && !ip.isEmpty()) {
            return Arrays.asList(InetAddress.getAllByName(ip));
        }
        return SYSTEM.lookup(hostname);
    }
}
OkHttpClient client = new OkHttpClient.Builder()
        .dns(new HttpDNS())
        .build();

The custom DNS caches results; a faulty response persists until the cache expires. Additional tricks include DNS pre‑fetch via

<meta http-equiv="x-DNS-prefetch-control" content="on">

and <link rel="dns-prefetch" href="//example.com">, or warming the OS DNS cache at app startup by proactively resolving frequently used hosts.

1.5 DNS over TCP (zone transfer)

Secondary DNS servers retrieve full zone files from primary servers using TCP (AXFR) because UDP’s 512‑byte limit cannot accommodate large zone data.

2. WebSocket

2.1 Why WebSocket instead of HTTP polling

Polling repeats full HTTP requests, incurring header overhead, stateless re‑authentication on each request, and difficulty balancing latency versus bandwidth. WebSocket establishes a persistent TCP connection, eliminating per‑request headers and enabling low‑latency bidirectional messaging.

2.2 Capturing WebSocket frames with Wireshark

Set the capture filter to the port used (commonly 80 or 443). The demo site http://demos.kaazing.com illustrates the handshake and frame exchange. WebSocket frames are identified by the opcode field: 1 = text, 2 = binary, 8 = close.

2.3 Connection establishment

The client sends an HTTP/1.1 Upgrade: websocket request with mandatory headers:

Connection: Upgrade

Sec-WebSocket-Key

(random base64 value) Sec-WebSocket-Version The server replies with 101 Switching Protocols and a Sec-WebSocket-Accept header calculated as base64( SHA‑1( client‑key + "258EAFA5‑E914‑47DA‑95CA‑C5AB0DC85B11" ) ).

2.4 Connection termination

Either side sends a close frame (opcode 8); the peer acknowledges with its own close frame, after which the underlying TCP connection follows the normal four‑way FIN handshake.

2.5 Masking and proxy cache pollution

All client‑to‑server frames must be masked with a random 32‑bit key; the payload is XOR‑ed with the key before transmission. This prevents intermediate proxies from unintentionally caching or altering frames. The server reverses the operation using the same key.

Example: payload “vivo” (hex 76 69 76 6F) masked with key 23 68 C0 A3 yields transmitted bytes 55 01 B6 CC.

2.6 Opcode reference

0x1 – Text frame

0x2 – Binary frame

0x8 – Close frame

0x9 – Ping (heartbeat)

0xA – Pong (heartbeat response)