NodeMCU UDP DNS request format

Question

I am looking at this example of a captive portal built on a NodeMCU platform, and I am trying to understand how DNS requests work. (The relevant file is dns-liar.lua) I have more or less decoded what the response is, but have no idea what each part of it does, and I can't find any online resources that show a similar packet structure.

IP of NodeMCU:

a.b.c.d

Request:

|A|B| ... |(13th byte) \0 terminated string (str)| ...

Response: (bytes separated by "|")

|A|B|x80|x00|x00|x01|x00|x01|x00|x00|x00|x00|str|x00|x01|x00|x01|xC0|x0C|x00|x01|x00|x01|x00|x00|x03|x00|x00|x04|a|b|c|d|

I gather that the str is likely the domain to search for, and abcd is simply the NodeMCU responding to every request with its own IP address, but I'm not sure what any of the other bytes are doing.

Answer 1

Whew! It's always tricky when folks decide to preformat nearly a whole packet ahead of time, especially when it spans several subsections of the RFC.

Anyhow, I went ahead and forked CaptiveIntraweb and commented up the DNS code. I've also submitted a PR with my changes so it hopefully gets pulled upstream in a future release. You can read the whole thing there (it goes over every DNS field in detail), but here are the highlights of what the author is doing:

1. The first two bytes are a copy of the ID field parsed from the request
2. The next 10 bytes are a premade header including the type of packet and so on (..._str1).
3. The next X bytes are a copy of the NAME requested from the request
4. The next 4 bytes are the rest of the question data (type/class) and the next 14 bytes are the compressed NAME, and the type/class/ttl/length of the response (..._str2).
5. Finally, the last four bytes are the IP of the node.