DNS response answer & authoritative section

Asked 25/3, 2012 at 23:46 Answered 25/12, 2018 at 7:16

Solved dns response wireshark web-traffic network-traffic

I have been looking at DNS response packets in Wireshark, and am not able to understand hex coding for the answer and authoritative sections.

Considering DNS query for: mail.abcd.com

The answer section contains name field, and the hex coding for this varies among:

 0xc00c
 0xc012

Both of them lead to the entire name being populated in the field.

The authoritative section also contains the name field, but the hex coding for this is usually:

 0xc010

This leads to abcd.com being populated in the field.

Can anyone tell what is the convention followed to populate these fields, as its pretty confusing.

Thanks

Haemophilia answered 25/3, 2012 at 23:46 Comment(1)

Hopefully useful: zoneedit.com/doc/rfc – Diatribe 25/3, 2012 at 23:51

DNS labels use a format of <length><data ...>.

A label may be a maximum of 63 bytes long, hence the <length> field has two bits left over. These are used to encode a label type.

If the top two bits are 0b11 then the remaining six bits are instead combined with the following byte form a compression pointer which is an offset within the DNS payload to a prior instance of another label.

Since the DNS protocol header is 12 bytes long, the shortest legal offset is 12 bytes, giving the value you saw above of 0xc00c.

[technically, one might construct a compression pointer that points into the header, but it's not strictly conformant with the protocol].

I would strongly recommend against trying to reverse engineer the specification from wire packets - you will inevitably miss stuff. Just read RFC 1035 instead - all of the core stuff is in there.

Eppie answered 26/3, 2012 at 9:24 Comment(2)

But what if an implementation does not comply with the standard? Is that possible? – Thomasthomasa 14/11, 2015 at 15:18

It's possible, but the receiver should treat it as a malformed response – Eppie 15/11, 2015 at 2:21

Read up on name compression in the specification. 0xc, 0x12, and 0x10 are pointers to earlier copies of the names "mail.abcd.com" and "abcd.com" in the packet.

Vagina answered 26/3, 2012 at 0:58 Comment(0)

DNS messages use an offset value to say how many bytes after the beginning of the message we can find the domain name already included in the message.

Where the “address of the beginning byte” is counted in bytes from the beginning of the entire message. Start counting with zero as the first byte.

So in our example 0xC00C is 1100 0000 0000 1100 which means 1100 offset which is 12 bytes from the beginning of the entire DNS message.

Zita answered 25/12, 2018 at 7:16 Comment(0)

Recommended topics

Hot tags