Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

DNS response answer & authoritative section

Tags:

dns

wireshark

response

network-traffic

web-traffic

I have been looking at DNS response packets in Wireshark, and am not able to understand hex coding for the answer and authoritative sections.

Considering DNS query for: mail.abcd.com

The answer section contains name field, and the hex coding for this varies among:

 0xc00c
 0xc012

Both of them lead to the entire name being populated in the field.

The authoritative section also contains the name field, but the hex coding for this is usually:

 0xc010

This leads to abcd.com being populated in the field.

Can anyone tell what is the convention followed to populate these fields, as its pretty confusing.

Thanks

like image 956
Jake Avatar asked Mar 25 '12 23:03

Jake

People also ask

What is a DNS response?

DNS is a query/response protocol. The client queries an information (for example the IP address corresponding to www.google.com) in a single UDP request. This request is followed by a single UDP reply from the DNS server. DNS uses UDP port 53 to connect to the server.

What is a good DNS response time?

The average DNS lookup time is between 20 and 120 milliseconds. Anything between that and under is generally considered very good.

2 Answers

DNS labels use a format of <length><data ...>.

A label may be a maximum of 63 bytes long, hence the <length> field has two bits left over. These are used to encode a label type.

If the top two bits are 0b11 then the remaining six bits are instead combined with the following byte form a compression pointer which is an offset within the DNS payload to a prior instance of another label.

Since the DNS protocol header is 12 bytes long, the shortest legal offset is 12 bytes, giving the value you saw above of 0xc00c.

[technically, one might construct a compression pointer that points into the header, but it's not strictly conformant with the protocol].

I would strongly recommend against trying to reverse engineer the specification from wire packets - you will inevitably miss stuff. Just read RFC 1035 instead - all of the core stuff is in there.

like image 110
Alnitak Avatar answered Sep 30 '22 15:09

Alnitak

Read up on name compression in the specification. 0xc, 0x12, and 0x10 are pointers to earlier copies of the names "mail.abcd.com" and "abcd.com" in the packet.

like image 40
Celada Avatar answered Sep 30 '22 16:09

Celada
Sign in to Comment

Related questions

How to get a simple computer name (without the domain name) out of a full computer name in c#?
Subdomains with CloudFlare
How to resolve external domain names using MaraDNS in windows 7
Maximum number of domains supported in Azure Websites
Why I get a SOA dig response?
Resolving external domains from within pods does not work
Spring Boot 2.4.2 - Redisson Client - DNS Resolution Problem at start
Subdomains and DNS
idn_to_ascii() in 5.2.17
Surviving a reboot with AWS CloudFront
How to change the domain name on a local deployed React app
How can I use Ruby to check if a domain exists?
what makes domain names point a specific folder?
Is there any way to avoid showing "xn--" for IDN domains?
Maximum number of domains that can be assigned to one Heroku app?
Local Name Resolution without Port - MAMP Pro
Error initializing classpath: No subject alternative DNS name matching services.gradle.org found. -> when running grails 3.0.1 app
When using an internet facing ELB, do all of the instances behind the load-balancer have to have their own public IPs?
Amazon S3: using DNS alias to bucket + HTTPS at the same time
How to check if a domain name is a CNAME in PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!